[cas-user] CAS 4 LDAP search subtree scope
I was just curious if it was documented anywhere that to get CAS4 to do a subtree search, you have to add p:subtreeSearch="true" to your section in deployerConfigContext.xml? I've spent the entire afternoon trying to figure out how to get this to work, because from what I can see, it's not really documented anywhere :/ And, the documentation on http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html doesn't help with that at all. And, the 3.x documentation and setup is totally different from the 4.0 too. If it's not really documented anywhere, could we maybe add it to save someone else the same endless frustration that I've had getting it to work this afternoon? -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 4 LDAP search subtree scope
Awesome, thanks much! :D -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS in Production - Licence needed ?
You don't need to purchase a license to use CAS in production :) Some applications that use CAS may require licensing, but CAS itself doesn't (they're licensed under the Apache license - https://www.apereo.org/licensing ) I do know for a fact that TouchNet (a major credit card processor for higher education) uses CAS for its services. (https://secure.touchnet.net/central/ ) You will want to note that all CAS installations don't necessarily have "/cas/" as a part of the URL; you can have the install be simply something like "https://login.org.org/"; Chris -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Services Registry UI Not Writing to Database
Does this help at all? https://github.com/Unicon/cas-mfa/issues/53 >>> Alex Olson 02/26/15 4:49 PM >>> We are running CAS 3.5.3, and use the JPAServiceRegistryDaoImpl to persist registered services. There’s a problem though, in that our Services Registry Management UI can read from the database but does not write to it. Turning logging up to trace and looking at an attempted save shows: 2015-02-26 14:35:05,532 TRACE [org.hibernate.action.internal.UnresolvedEntityInsertActions] - No entity insert actions have non-nullable, transient entity dependencies. 2015-02-26 14:35:05,532 TRACE [org.hibernate.event.internal.AbstractSaveEventListener] - Persistent instance of: org.jasig.cas.services.RegisteredServiceImpl 2015-02-26 14:35:05,532 TRACE [org.hibernate.event.internal.DefaultPersistEventListener] - Ignoring persistent instance What are some possible culprits? We have the registry configured like so: org.hibernate.dialect.Oracle10gDialect update cas Thanks! -- Alex K. Olson -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Enable logging
Not for sure if this will have info about the JDBC connection stuff since we're not using it, but the log4j configuration file for the webapp is stored in cas-server-webapp/src/main/resources/log4j.xml . If you're using the other applications, this is the location for the logger files (in v4 anyhow) - # find . -name "log4j.xml" | grep src ./cas-server-extension-clearpass/src/test/java/log4j.xml ./cas-server-webapp/src/main/resources/log4j.xml ./cas-server-webapp/src/test/resources/log4j.xml ./cas-server-webapp-support/src/test/resources/log4j.xml ./cas-management-webapp/src/main/resources/log4j.xml ./cas-management-webapp/src/test/resources/log4j.xml >>> chandrashekar singh 03/06/15 8:14 AM >>> Dear all, We are testing CAS 4.0 with database authentication and we feel all of our configuration is correct however we keep getting invalid credentials. We would like to enable debugging to ensure that the jdbc connection is actually working. Please say how to enable this level of logging or debug statements. Thanks, Chandrashekar Singh University of Guyana -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Some notes/doc updates on configuring attributes in CASv4
Hi everyone, I'm not sure the proper avenue to vet out documentation changes, but I've got a few more from our upgrade to CAS v4 that I though might help others out. I figured I'd start with the list, and then move on to somewhere else if that was the appropriate thing. I think that a big part of the struggles that I had with going through the CASv4 documentation was that it seems to be written for folks who are familiar with CAS - people who know the proper locations of code in specific files, etc. To that end, a lot of the documentation pages include code snippets, but don't really explain what they're doing, or what file they belong in, so I ended up doing a fair bit of googling code bits from the snippets to find examples that other folks had created to see where I was supposed to stick the stuff :P I should note in advance that I'm not trying to be "one of those people," hostile, critical, etc., and hope that I don't come off that way. I'm just hoping to save others some of the frustration I've had this week with trying to get things up and running on the new version (in a very tight deadline timeframe to boot,) and help improve the documentation of an awesomely useful software product :) I might have more changes to propose later, but these are the ones that float to the top of my coffee-filled brain this morning (in no particular order) : Ticket handling: https://wiki.jasig.org/display/CAS/CAS+Functional+Tests I don't know how many hours I spent trying to troubleshoot "INVALID TICKET" errors attempting to go through this wiki page, only to find out that the reason is because the defaults are for a ticket to be usable only one time, and to be valid only for 10 seconds. It would be nice if at the top of this page, there was information about this, as well as information about modifying cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml to change these defaults while you're troubleshooting things. Attribute release in CASv4: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html http://jasig.github.io/cas/4.0.x/protocol/CAS-Protocol.html Again, tons of time wasted simply from not knowing that in CASv4, the attribute release is only through a modified serviceValidate url, requiring adding "/p3" into the URL, unless you're using SAML: https://www.mail-archive.com/cas-user@lists.jasig.org/msg18210.html In fact, it's not documented anywhere at all in the "4.0.x" wiki pages on the github site, only in three pages of the development version. http://jasig.github.io/cas/development/protocol/CAS-Protocol.html (seems to indicate that it's available in both the CAS protocol v2 URL as well as the new v3 URL: "Among all features, the most noticeable update between versions 2.0 and 3.0 is the ability to return the authentication/user attributes through the new /p3/serviceValidate response (in addition to the /serviceValidate endpoint, already existing for CAS 2.0 protocol)." which contradicts what's in http://jasig.github.io/cas/development/integration/Delegate-Authentication.html "On CAS client side, to receive attributes, you need to use the SAML validation or the new CAS 3.0 validation (/p3/serviceValidate url)." and in http://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html: "/p3/serviceValidate MUST perform the same validation tasks as /serviceValidate and additionally return user attributes in the CAS response. See Section 2.5 and Section 2.5.7 for details." ) Retrieval of non-public attributes: This one really threw me for a loop. I could watch in the DEBUG CAS logs that the attributes specified in the configuration were getting picked up via the LdapAuthenticationHandler when I logged in: [org.ldaptive.auth.AuthenticationResponse@18963437::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, ldapEntry=[dn=cn=CMyers,ou=XXXX,o=[[uid[CMyers]], [mail[cmy...@xx.edu]], [sn[Myers]], [workforceID[###]], [givenName[Christopher]], [fullName[Christopher Myers]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null] [2015-03-04 15:06:30,628] DEBUG org.jasig.cas.authentication.LdapAuthenticationHandler Found principal attribute: [uid[CMyers]] [2015-03-04 15:06:30,629] DEBUG org.jasig.cas.authentication.LdapAuthenticationHandler Found principal attribute: [mail[cmy...@xxxx.edu]] [2015-03-04 15:06:30,629] DEBUG org.jasig.cas.authentication.LdapAuthenticationHandler Found principal attribute: [fullName[Christopher Myers]] [2015-03-04 15:06:30,629] DEBUG org.jasig.cas.authentication.LdapAuthenticationHandler Found principal attribute: [workforceID[##]] [2015-03-04 15:06:30,629] DEBUG org.jasig.cas.authentication.LdapAuthenticationHandler Found princ
Re: [cas-user] CAS login history
Is there a specific way that you need to be able to reference it? Our CAS setup keeps information about it in Tomcat's catalina.out files, so we can pull it from there. Chris >>> "Maxwell, Gary" 03/11/15 9:35 AM >>> Is there a feature with CAS that will keep a history of Logins and Logouts? Thanks Gary -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS login history
And since it's being caught through log4j, you could dump it into a database natively too: http://www.tutorialspoint.com/log4j/log4j_logging_database.htm >>> Dmitriy Kopylenko 03/11/15 10:21 AM >>> There is a way to configure Inspektr library in CAS to persist its captured audit events in RDBMS: https://wiki.jasig.org/display/CASUM/Auditing+and+Statistics+Via+Inspektr Not sure if there is a newer version of the above documentation resource, though. Another way to capture and process significant CAS events is to use the following facility (available as an addon module): https://github.com/Unicon/cas-addons/wiki/CAS-server-events This method might be attractive as it is de-coupled from most CAS internals. Just need to wire it in and implement listeners receiving the data of interest and do whatever is desired with that data. Here’s an example of such listener facility which listens for couple of these events and records them as stats in Redis server: https://github.com/Unicon/cas-addons/wiki/Record-statistics-for-CAS-events-in-Redis-server Best, Dmitriy. On Mar 11, 2015, at 10:56 AM, Maxwell, Gary wrote: We were hoping to place the history in a db. The info would then be accessed via web services. From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Wednesday, March 11, 2015 8:43 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS login history Is there a specific way that you need to be able to reference it? Our CAS setup keeps information about it in Tomcat's catalina.out files, so we can pull it from there. Chris >>> "Maxwell, Gary" 03/11/15 9:35 AM >>> Is there a feature with CAS that will keep a history of Logins and Logouts? Thanks Gary -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: maxwell_g@fortlewis.eduTo unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Recommendations for CAS/LDAP integration work
Same here. Have had a lot of bad experiences with consultants, but the Unicon folks have always been professional and knowledgeable whenever I've interacted with them (even when money wasn't involved :P) >>> "Liedy, Jonathan" 03/17/15 9:55 AM >>> I'm not someone that's a big fan of consultants in general, but I'll give a big third +1 for the folks at Unicon. Jonathan Liedy Middleware Administrator The Florida State University 2035 East Paul Dirac Drive Sliger, Suite 113 Tallahassee, FL 32310 jli...@fsu.edu Voice: (850) 270-7368 -Original Message- From: Paul B. Henson [mailto:hen...@cpp.edu] Sent: Monday, March 16, 2015 8:14 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Recommendations for CAS/LDAP integration work On Mon, Mar 16, 2015 at 04:07:46PM -0700, Andrew Morgan wrote: > We are big fans of Unicon (http://unicon.net). They are very involved > in the open source community surrounding Identity Management. You'll > find I'd second that opinion; while we deployed CAS with in-house staff, our apps group had them out to help with a uportal deployment. We also use their hazelcast ticket registry backend and their shib-cas-authn2 plugin to delegate our shibboleth idp authentication to CAS. I've found every unicon staff member I've been in contact with to be skilled, professional, and amazingly helpful even for non-paid interactions, I can't imagine you could go wrong engaging them. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: jli...@fsu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Casifying Shib (idP)
I am not an expert in this, so I might not be able to be of much help. But conveniently, I did just complete this process last week and it seems to work fine. Here are the notes I took along the way, using CAS 4.0.1 and shib 2.4.4: Configuring Tomcat: https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare Download the IDP source zip file from: http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/ Extract it to /opt/shibboleth-src/ Download the tomcat6-dta-ssl-1.0.0.jar file from http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar into the /usr/share/tomcat6/lib folder Edit /usr/share/tomcat6/conf/server.xml, add the following connector: Install the IDP: https://spaces.internet2.edu/display/SHIB2/IdPInstall Run ./install.sh from where you extracted the IDP source from above. --This will installed to /opt/shibboleth-idp by default --Enter the fdn of the server --Enter the password you want to use for the keystore (make sure it's the same one as you used in the tomcat config file change above.) --Restart tomcat after this is done, but before deploying the war file so that the new connector will come online --Move the idp.war file from /opt/shibboleth-idp/war/ into /usr/share/tomcat6/webapps/ To verify that the IDP was installed correctly, browsing to this page: http://servername.domain.edu/idp/profile/Status should say "ok" Connect Shibboleth to CAS: http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration Download the latest cas-client-x.x.x.zip from http://www.ja-sig.org/downloads/cas-clients/ Copy cas-client-x.x.x/modules/cas-client-core-x.x.x.jar to /opt/shibboleth-src/lib/ Edit /opt/shibboleth-idp/conf/handler.xml, add: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport serverName shib_server.domain.edu Add the following to the "filter" section: CAS Authentication Filter org.jasig.cas.client.authentication.AuthenticationFilter casServerLoginUrl https://cas_server.domain.edu/cas/login CAS Authentication Filter /Authn/RemoteUser CAS Validation Filter org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter casServerUrlPrefix https://cas_server.domain.edu/cas/ redirectAfterValidation true CAS Validation Filter /Authn/RemoteUser CAS HttpServletRequest Wrapper Filter org.jasig.cas.client.util.HttpServletRequestWrapperFilter CAS HttpServletRequest Wrapper Filter /Authn/RemoteUser To re-deply Shibboleth after making these changes: run /opt/shibboleth-src/install.sh Hit when prompted for the location for the IDP software install location (answer is for /opt/shibboleth-idp) Hit when asked if you want to overwrite the Shibboleth config (answer is for "no") Move the idp.war file from /opt/shibboleth-idp/war/ to /usr/share/tomcat6/webapps/ When you're testing with testshib.org, if you get random errors trying to deploy the war after changing the relying-party.xml file while following the instructions at https://www.testshib.org/testshib-two/configure.jsp - make sure the file used in "something like testshib.xml" is owned by tomcat:tomcat ALSO COMMENT: Make sure to copy relying-party.xml.prod back to relying-party.xml when done testing!! If you're pointing to a CAS with a self-signed cert, you can run this: /usr/lib/jvm/java-1_6_0-ibm-1.6.0/jre/bin/keytool -import -aliasmyalias -keystore /usr/java/latest/jre/lib/security/cacerts -file /home/installers/my_root.cer (where my_root.cer is a b64 version of the self-signed root CA cert) if you get errors like: SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception Throwable occurred: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by OU=Organizational CA, O=MY_ROOT is not trusted ... If you get errors like: Unable to establish security of incoming assertion. Look at your /opt/shibboleth-idp/conf/relying-party.xml file and make sure your AnonymousRelyingParty and DefaultRelyingParty providers match the actual hostname, etc. http://groups.google.com/group/shibboleth-users/browse_thread/thread/e3665fb0f9b23265?pli=1 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, cha
Re: [cas-user] restrict to service
Are you basically saying that right now your CAS server is "open" and you're wanting to lock it down to a specific list? If so, I just went through the process on our CAS 4.0.1 server a few weeks ago, so it's still pretty fresh in my mind (and notes ;) ) >>> Frank Van Damme 03/26/15 10:30 AM >>> Hi list, we are running cas 3.5.2 here, and the list of services that require to authenticate on it is growing. Before we loose track and/or control of it, I would like to know how to restrict authentication to a limited number of services; for exampel by only issuing a http redirect to a limited list of URL's. I am also worried that a third party will try to authenticate on my CAS server(s) in an attempt to guess the identity of a user who might at that time be logged in to CAS. Where do I start reading? :-) -- Frank Van Damme Make everything as simple as possible, but not simpler. - Albert Einstein -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Which version sould I upgrate to 3.5.3 or 4.01
We went straight to 4.0.1 too. It was a bit of a pain with regard to getting attributes to work for the services, but I got it all figured out (and submitted some documentation update requests based on what I learned.) If you're doing straight CAS without worrying about passing attributes along, that upgrade took all of 15 minutes. We did the upgrade from 3.5.1. Chris >>> MrCrowley 04/22/15 8:13 AM >>> I'm giving 4.0.1 a try , I've decided to do this double jump without net.Seems to go fine Il Mercoledì 4 Marzo 2015 15:40, Milt Epstein ha scritto: What is the expected release date of 4.1? Thanks. Milt Epstein Programmer in Computational Genomics Institute for Genomic Biology (IGB) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Wed, 4 Mar 2015, Marvin Addison wrote: > Same as object I'm coming from 3.4.3 and looking for and advice > if is better to go straight to 4.0.1 or maybe stop at 3.5.3 > > > There will be more configuration work to upgrade from 3.x to 4.x, but it's > work you'll have to do eventually since the 3.5.x branch is in > maintenance-only mode. My recommendation is try to upgrade to 4.x as soon as > possible. > > M > > -- > You are currently subscribed to cas-user@lists.jasig.org as: mepstein@illino > is.edu > To unsubscribe, change settings or access archives, see http://www.ja-sig.or > g/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: mrcrowley...@yahoo.it To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Intermittent LDAP Connection Reset
Out of curiosity, have you tried to wireshark the ldap connection to see what the servers are saying? Or, if you're lucky enough to be pointing against eDirectory, an ndstrace on the ldap server will provide a lot of details about what it's doing and seeing as well. >>> Tadeusz Sacilowski 04/21/15 9:52 PM >>> Hello, We are in the process of updating our CAS to version 3.5.3 using an LDAP (not LDAPS at the moment) for attributes. The current setup is two CAS nodes behind an f5 LTM for load balancing, using the Ehcache distributed ticket registry. All seems to be working ok for the most part except that we get the following intermittent login error: :org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp' Here are the first several lines from the trace in the CAS log: ERROR [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler threw error authenticating [username: teststudent] org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:100) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:318) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:360) at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal(BindLdapAuthenticationHandler.java:90) at org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:71) at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85) I've seen some related post here but haven't found any documented resolutions. Any suggestions on how to troubleshoot this? Thank you, Teddy -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Fetching LDAP attributes with user credentials
You may want to check out this project:
https://github.com/robertoschwald/jasig-cas-examples-robertoschwald
Basically, when CAS validates a users' login attempt, it tends to pull
attributes at that time if so configured. Then, for whatever reason, it
does a subsequent request to pull all of the attributes to be used for
the services. This project maps the second to the first, so the
attributes are stored internally and reused for the services, thus
saving the second login. In your case though, it would serve as a way to
use the users' credentials to pull their own attributes.
If you have the alternative of being able to provide a "master" user to
pull the attributes for users, you can refer to my notes when I ran into
a similar situation:
Found this:
http://jasig.275507.n4.nabble.com/ldaptive-integration-td4660076.html
Which points to this:
http://jasig.github.io/cas/development/installation/LDAP-Authentication.html#active-directory-authentication
Had to add this to the deployerConfigContext.xml file:
and modify the seardhConnectionPool bean to reference the
searchConnectionFactory:
then add the ldap.managerDn and ldap.managerPassword attrs to the
cas.properties file.
After doing so, the attrs are returned correctly
For full details of what I ran into, you can search the archives for my
message titled "Some notes/doc updates on configuring attributes in
CASv4" from March 6, 2015.
Hope that helps!
Chris
>>> "Borys Pogoreło" 04/23/15 7:58 AM >>>
Hi,
As this is my first post here: welcome everyone!
I have a problem with CAS 3.5.3. We are authenticating against two LDAP
servers, our own and external. The second one has very strict access
policy and we can't change its configuration. User can access only his
attributes, nothing else, even the tree he is in.
We are able to successfully authenticate using
FastBindLdapAuthenticationHandler, but it doesn't return attributes (I
believe it binds anonymously to fetch attributes, which is not allowed
by
this server). All I see with DEBUG enabled is [{}] as attributes
returned.
I was unable to configure BindLdapAuthenticationHandler with this
server.
Let's say we are authenticating as user "123" on "server", who has DN:
uid=123, ou=People, cn=test (Base DN: ou=People, cn=test)
The only proper way to fetch user's record on this server would be:
ldapsearch -L -W -x -H ldaps://server \
-b "ou=People, cn=test" \
-D "uid=123, ou=People, cn=test" \
"uid=123"
Our configuration (shortened and without first source):
ldap://server"; />
p:filter="uid=%u, ou=People, cn=test"
p:contextSource-ref="secondLDAPSource" />
I tried using authenticationSource on LdapContextSource, but all I got
was
a lot of Java exceptions related to Spring.
How can I access user's attributes using this person credentials?
--
Borys Pogoreło
--
You are currently subscribed to cas-user@lists.jasig.org as:
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CASifying web applications
For the Java CAS stuff, you may want to check out the "sample" webapp provided here: https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample - it gives you a really good, simple overview of how stuff is set up. I can't speak to the other CAS clients at the moment however. Chris >>> "Waldbieser, Carl" 04/23/15 8:20 AM >>> Paul, We are using mod_auth_cas in front of a couple web apps, and it works pretty much as you would expect. Since it is a fairly decoupled integration with your web app, the "log out" links in your web app will tend not to work the way one might expect. However, once you get mod_auth_cas built, configuring it and deploying it to production is rather straightforward. We have only used it with Apache v2.2. I have integrated some apps with phpCAS, and it is also pretty simple to configure. I find if you crank up debugging in that library you get a good amount of detail that can really help with some of the more subtle problems (like if the CA of the SSL cert is not recognized by the back channel call). We have also integrated some of our Java based apps with the Java client. Like other integrated solutions, the setup is more complex, but the user experience typically feels more smooth and less "bolted on", especially if you want your log out controls to log you out of a your SSO session. I can't speak to the perl modules you mention, but a lack of activity is not necessarily a bad thing. CAS is a relatively simple and straightforward protocol. The code for a CAS client should tend to stabilize pretty quickly. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: "Paul B. Henson" To: cas-user@lists.jasig.org Sent: Wednesday, April 22, 2015 10:54:27 PM Subject: [cas-user] CASifying web applications We're at a point in our CAS deployment where we'd like to start converting some of our existing applications to use it, and I'd appreciate some feedback on the best path to do so. It seems there are two types of webapps under consideration, those that do no authentication at all on their own and rely entirely on web service based authentication, and those that have no web server authentication and implement auth entirely on their own. For web server auth, it looks like the only real solution is mod_auth_cas (https://wiki.jasig.org/display/CASC/mod_auth_cas) for Apache? Anyone currently using this that might be able to comment on how well it works, how reliable it is, etc? It looks like it doesn't support proxy authentication, but we only have one app that needs that. Does anyone know if this module works as-is under Apache 2.4? According to the docs, some 2.2 modules work fine under 2.4, while others require updates for certain changed API's. If the app is mod_perl based, or mod_perl can be added just for authentication, it looks like there are two options: http://search.cpan.org/~dcastro/Apache-AuthCAS/lib/Apache/AuthCAS.pm http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.4/lib/Apache2/AuthCAS.pm Any opinion/consensus on which of these is better, and how they compare to mod_auth_cas? It looks like both of these support proxy auth, which makes them presumably beat out mod_auth_cas for that use case. For applications which do their own authentication, it looks like phpCAS (https://wiki.jasig.org/display/CASC/phpCAS) is the officially supported solution for php based apps? For perl based applications, I see there's only an unofficial client available (https://github.com/Unicon/cas-perl-client). The last update is over 3 years ago, and the documentation is a bit lacking. There are no better solutions for CAS via perl? We have one app that will need to do proxy auth, it's part of our idm infrastructure. The client facing front end is on a windows box, currently doing forms based auth and proxying the plaintext credentials to a mod_perl based web service via apache ldap authentication. To CASify this, our webapps group will presumably use the .net CAS client to authenticate the browser and then use CAS proxy auth to authenticate the end user to the web service. We are flexible on this as to whether the auth is done by the web server or integrated into the app itself. As mod_auth_cas doesn't do proxy auth, that is ruled out. Any thoughts on whether it would be cleaner to use one of the mod_perl based solutions to do the proxy auth at the web server level vs a perl CAS client in the application? Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change
Re: [cas-user] Fetching LDAP attributes with user credentials
If I had to guess, I would assume that it's because the initial
connection retrieves the attributes that can be potentially passed back
as
the user ID value for the services? So for us this chunk of code looks
like:
And then there's a second chunk of code that's dedicated for the
attributes, which looks like this for us:
So ultimately we're pulling back the attributes in both places. I
would *assume* that this is to separate the "login" from the
"attribute" processes in case you want to pull your login from one
source and your attrs from a second one, but ultimately results in two
separate LDAP calls for folks who use a single source, which, IMO,
should be able to be combined. But I
guess if you were using database for auth and ldap for attrs, then this
would be necessary to have separated out.
This is what I observed from cranking up the logging levels on the
server -
I could watch in the DEBUG CAS logs that the attributes specified in the
configuration were getting picked up via the LdapAuthenticationHandler
when I logged in:
[org.ldaptive.auth.AuthenticationResponse@18963437::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
ldapEntry=[dn=cn=CMyers,ou=,o=[[uid[CMyers]],
[mail[cmy...@xx.edu]], [sn[Myers]], [workforceID[###]],
[givenName[Christopher]], [fullName[Christopher Myers]]],
responseControls=null, messageId=-1], accountState=null, result=true,
resultCode=SUCCESS, message=null, controls=null]
[2015-03-04 15:06:30,628] DEBUG
org.jasig.cas.authentication.LdapAuthenticationHandler Found principal
attribute: [uid[CMyers]]
[2015-03-04 15:06:30,629] DEBUG
org.jasig.cas.authentication.LdapAuthenticationHandler Found principal
attribute: [mail[cmy...@.edu]]
[2015-03-04 15:06:30,629] DEBUG
org.jasig.cas.authentication.LdapAuthenticationHandler Found principal
attribute: [fullName[Christopher Myers]]
[2015-03-04 15:06:30,629] DEBUG
org.jasig.cas.authentication.LdapAuthenticationHandler Found principal
attribute: [workforceID[##]]
[2015-03-04 15:06:30,629] DEBUG
org.jasig.cas.authentication.LdapAuthenticationHandler Found principal
attribute: [givenName[Christopher]]
[2015-03-04 15:06:30,629] DEBUG
org.jasig.cas.authentication.LdapAuthenticationHandler Found principal
attribute: [sn[Myers]]
but weren't stored or used anywhere. Then there is a second anonymous
call to search for the same attrSince this second call was anonymous, it wasn't
picking up the
non-public attributes that were picked up by the authenticated login:
[2015-03-04 15:06:30,630] DEBUG
org.jasig.cas.persondir.LdapPersonAttributeDao Created seed
map='{username=[cmyers]}' for uid='cmyers'
[2015-03-04 15:06:30,630] DEBUG
org.jasig.cas.persondir.LdapPersonAttributeDao Adding attribute
'username' with value '[cmyers]' to query builder 'null'
[2015-03-04 15:06:30,631] DEBUG
org.jasig.cas.persondir.LdapPersonAttributeDao Constructed LDAP search
query [cn=cmyers]
[2015-03-04 15:06:30,631] DEBUG
org.jasig.cas.persondir.LdapPersonAttributeDao Generated query builder
'[org.ldaptive.SearchFilter@-92255980::filter=cn={0},
parameters={0=cmyers}]' from query Map {username=[cmyers]}.
[2015-03-04 15:06:30,637] DEBUG
org.jasig.cas.persondir.LdapPersonAttributeDao Converted ldap DN entry
[cn=CMyers,ou=XXX,o=XXX] to attribute map {uid=[CMyers],
mail=[cmy...@xxx.edu], sn=[Myers], givenName=[Christopher]}
Chris
>>> "Borys Pogoreło" 04/23/15 8:44 AM >>>
Hi,
> You may want to check out this project:
> https://github.com/robertoschwald/jasig-cas-examples-robertoschwald
Thanks, looks interesting and probably will help. I'll give it a try.
Why CAS is pulling attributes twice? This doesn't make sense.
> If you have the alternative of being able to provide a "master" user
to
> pull the attributes for users, you can refer to my notes when I ran
into
> a similar situation:
We're trying to get a separate account on this second LDAP which will be
able to use search at least. With this "master" user we may not have to
modify too much.
cheers,
Borys
--
You are currently subscribed to cas-user@lists.jasig.org as:
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Fetching LDAP attributes with user credentials
Definitely agree. It would be awesome if that project I mentioned earlier could be included with the baseline code too, so that folks could more easily specify that exact option. Otherwise, integrating it is rather time-consuming to make all the changes necessary... >>> "Borys Pogoreło" 04/23/15 9:06 AM >>> > But I guess if you were using database for auth and ldap for > attrs, then this would be necessary to have separated out. I think you're right. But I believe that the most common scenario is using one source for both authentication and attributes. Separation should be an option, not the default... -- Borys -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Fetching LDAP attributes with user credentials
If that works, that would be awesome! I fought with trying to make that type of thing work for about two days, but all the Google hits I came across said that it wasn't possible without using something like that third-party add-on I'd found. I didn't try what you suggested though, so if Borys would want to try it out and let us all know, that could save folks a ton of time in the future too, especially if we could get the change documented on the github pages :D >>> Milt Epstein 04/23/15 9:32 AM >>> I didn't follow all of this thread, but if I understand you correctly, it is possible to do the authentication and pull out the attributes in one call to ldap. I'm doing this with CAS version 4.0.x. The key is to configure the principalAttributeMap property in the ldapAuthenticationHandler bean, as I believe Chris Myers showed -- but then not use attributeRepository (which may come pre-configured in the default deployerConfigContext.xml). I do the latter by changing the following line, in the authenticationManager bean, from: to: Milt Epstein Programmer in Computational Genomics Institute for Genomic Biology (IGB) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Thu, 23 Apr 2015, "Borys Pogore³o" wrote: > > > > But I guess if you were using database for auth and ldap for > > attrs, then this would be necessary to have separated out. > > I think you're right. But I believe that the most common scenario is using > one source for both authentication and attributes. Separation should be an > option, not the default... > > -- > Borys > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: mepst...@illinois.edu > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Fetching LDAP attributes with user credentials
>>> Misagh Moayyed 04/23/15 10:52 AM >>> >> See >> http://jasig.github.io/cas/development/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >> I guess that's part of my frustration with the new documentation pages - this is under the development version, but not listed under the 4.0.x version. When I went to set up our new CAS4 server, I totally dismissed the "development" documentation, because on every page it says explicitly that "The functionality presented here is not released yet." So to me, that means that I need to disregard those pages because I'm using a release version rather than a development version. When you look at the CAS 4.0.x documentation, it doesn't make any reference to this option, and the examples have you set up a separate authentication handler and principal resolver. http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html vs http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html So if it works with 4.0.x that's awesome, I just wish the documentation would say so. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Fetching LDAP attributes with user credentials
>>> Misagh Moayyed 04/23/15 11:57 AM >>> Here you go: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#principalresolver-vs-authenticationhandler Awesome, thanks! Out of random curiosity, is the general policy that the development documentation isn't functional for the release version, or does it tend to work? Or a mixed bag where it sometimes works but sometimes doesn't? I was just curious for other folks who approach things from the same way as I do, where that big disclaimer at the top of the development pages is pretty "ooh, stay away from this"-looking. Chris -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Fetching LDAP attributes with user credentials
Ok cool, good to know, thank you :) I'll keep that in mind for future upgrades :o) >>> Misagh Moayyed 04/23/15 12:30 PM >>> It is a mixed bag. It is definitely supposed to work against the latest code and SNAPSHOT releases, but it may not work against the actual release. It depends on what you’re after. Generally, our release policy is that for a minor release such as 4.1, etc you may experience some differences and pain in upgrades coming from 4.0.x, though we try to keep backwards compatibility as much as we can. From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Thursday, April 23, 2015 10:19 AM To: cas-user@lists.jasig.org Subject: RE: [cas-user] Fetching LDAP attributes with user credentials >>> Misagh Moayyed 04/23/15 11:57 AM >>> Here you go: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#principalresolver-vs-authenticationhandler Awesome, thanks! Out of random curiosity, is the general policy that the development documentation isn't functional for the release version, or does it tend to work? Or a mixed bag where it sometimes works but sometimes doesn't? I was just curious for other folks who approach things from the same way as I do, where that big disclaimer at the top of the development pages is pretty "ooh, stay away from this"-looking. Chris -- You are currently subscribed to cas-user@lists.jasig.org as: mmoayyed@unicon.netTo unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4.0 LDAP attributes to registered services
Also, make sure the CAS URL you're referencing has ".../p3/..." in it, such as: https://portal.millikin.edu/cas/p3/serviceValidate?ticket=ST-3-KVPbJUgg6hpI32knvrJq-CAS_HOST_1&service=https%3A%2F%2Fportal.millikin.edu%2Fmuportal%2Fsecure%2F Otherwise, everything can be configured correctly, but no attributes will be released. >>> Misagh Moayyed 04/30/15 4:39 AM >>> Possibly because you are not allowing any attributes to be released: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#config uration Also, do please review this section as well: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#attrib ute-filters Your filter says: filter the collection of attributes received to only include those that have the word "mail" in them. But it received none, because nothing is allowed. -Original Message- From: Simon [mailto:c...@klappezu.com] Sent: Thursday, April 30, 2015 1:19 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS 4.0 LDAP attributes to registered services Hello, I'm using CAS 4.0 on Tomcat 8.0 with Oracle Java JVM 1.8.0 The authentication against a LDAP directory which is managed by a Microsoft Active Directory Server 2008 R2 works as expected. But the LDAP attributes are not passed to the service. The class PolicyBasedAuthenticationManager debugs the correct attribute map with all correct values at the moment of the authentication on the CAS server. But these attributes are not passed to the registered services. The class RegisteredServiceRegexAttributeFilter debugs that it received 0 attributes. And also my phpCAS 1.3.3 gives me an empty array for phpCAS::getAttributes() - but the correct username with phpCAS::getUser(). Has anyone an idea where my mistake is? Thank you very much for your help! My deployerConfigContext.xml is: ... see complete config at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#act ive-directory-authentication My debug log is: INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Audit trail record ... Slf4jLoggingAuditTrailManager ... CookieRetrievingCookieGenerator ... DefaultTicketRegistry ... DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - http://192.168.0.1/castest/> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - DEBUG [org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter] - DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - DEBUG [org.jasig.cas.web.ServiceValidateController] - http://192.168.0.1/castest/]> -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS 4.0 LDAP attributes to registered services
Out of curiosity... Is your "mail" attribute publicly queryable? If not, you may need to add some authentication to the attribute release section of code as well. I ran into that as well; ended up adding this code to my deployerConfigContext.xml file: and then modified my searchConnectionPool bean to reference the searchConnectionFactory: and then added the ldap.managerDN and ldap.managerPassword attributes to my cas.properties file. After doing so, I was able to get the attributes on the second query. URLs I referenced: http://jasig.275507.n4.nabble.com/ldaptive-integration-td4660076.html , which led me to http://jasig.github.io/cas/development/installation/LDAP-Authentication.html#active-directory-authentication Chris >>> Simon 04/30/15 9:17 AM >>> Hello Christopher, Hello Misagh, thank you very much, but I as far as I see this, my setup already corresponds your recommendation: @Christopher **Also, make sure the CAS URL you're referencing has ".../p3/..." in it** I'm using phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); It generates the url: https://mycasserver:8443/cas/p3/serviceValidate?service=http%3A%2F%2F192.168.0.1%2Fcastest%2Findex.php @Misagh **Possibly because you are not allowing any attributes to be released** My LDAP setup definied with the principalAttributeMap an entry 'mail' which is logged correctly as DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - The attributeFilter in the serviceRegistryDao/registeredServices should allowed the mail attribute, because of the regex filter .*(mail).* But nevertheless, the filter logged following debug message: DEBUG [org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter] - For me it looks like the attributes are comming from the ldap to the authenticationManager but then they are not pass to the service?! I don't know what to do... -Original Message- From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Donnerstag, 30. April 2015 15:43 To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4.0 LDAP attributes to registered services Also, make sure the CAS URL you're referencing has ".../p3/..." in it, such as: https://portal.millikin.edu/cas/p3/serviceValidate?ticket=ST-3-KVPbJUgg6hpI32knvrJq-CAS_HOST_1&service=https%3A%2F%2Fportal.millikin.edu%2Fmuportal%2Fsecure%2F Otherwise, everything can be configured correctly, but no attributes will be released. >>> Misagh Moayyed 04/30/15 4:39 AM >>> Possibly because you are not allowing any attributes to be released: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#config uration Also, do please review this section as well: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#attrib ute-filters Your filter says: filter the collection of attributes received to only include those that have the word "mail" in them. But it received none, because nothing is allowed. -Original Message- From: Simon [mailto:c...@klappezu.com] Sent: Thursday, April 30, 2015 1:19 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS 4.0 LDAP attributes to registered services Hello, I'm using CAS 4.0 on Tomcat 8.0 with Oracle Java JVM 1.8.0 The authentication against a LDAP directory which is managed by a Microsoft Active Directory Server 2008 R2 works as expected. But the LDAP attributes are not passed to the service. The class PolicyBasedAuthenticationManager debugs the correct attribute map with all correct values at the moment of the authentication on the CAS server. But these attributes are not passed to the registered services. The class RegisteredServiceRegexAttributeFilter debugs that it received 0 attributes. And also my phpCAS 1.3.3 gives me an empty array for phpCAS::getAttributes() - but the correct username with phpCAS::getUser(). Has anyone an idea where my mistake is? Thank you very much for your help! My deployerConfigContext.xml is: ... see complete config at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#act ive-directory-authentication My debug log is: INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Audit trail record ... Slf4jLoggingAuditTrailManager ... CookieRetrievingCookieGenerator ... DefaultTicketRegistry ... DEBUG [org.jasig.cas.web.support.CasArg
Re: [cas-user] Application not authorized to use CAS
Just for clarification - things work correctly when you omit this piece of code:
ldap://myserver:13060/";
manager-dn="cn=adminusername,cn=Users,dc=london-scottish,dc=com"
manager-password="mypassword" />
but fail once you add it? And to be sure, the error message that you're
receiving is the "application not authorized to use CAS" message?
The reason I'm curious is because that chunk of code there has absolutely
nothing to do with an application talking to CAS; it's strictly for user-side
things.
Chris
>>> Ahmed Hadzic 05/06/15 10:03 AM >>>
Hello all,
I am about to graduate and for my senior design project I have to integrate CAS
with KOHA (Open ILS). I am using Ubuntu server 14.04, so far I made secure
connection for CAS, and now i need to login to CAS as KOHA user. This is where
I encountered problems. I found out that I need to get the CAS server's Manager
to add the OPAC Url to the Service management system in CAS itself.
When I try to access over browser(https://localhost:8443/cas/services) I get
redirected to CAS login page. I followed this documentation:
http://jasig.github.io/cas/4.0.x/installation/Service-Management.html.
Since I am pretty much newbie for CAS I would be thankful if you could help me.
Here are the details of what I did from the guide above:
LdapServiceRegistryDao
I added this in
/home/ahmed/cas-server-4.0.0/cas-management-webapp/src/main/webapp/WEB-INF/managementConfigContext.xml
JpaServiceRegistryDaoImpl
${database.dialect}
update
${database.batchSize}
I added this in
/home/ahmed/cas-server-4.0.0/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Installing the Services Management Webapp
org.jasig.cas
cas-management-webapp
${cas.version}
war
runtime
Added this in
/home/ahmed/cas-server-4.0.0/cas-management-webapp/pom.xml
Spring-security-ldap
org.springframework.security
spring-security-ldap
${spring.security.ldap.version}
org.springframework
spring-aop
org.springframework
spring-tx
org.springframework
spring-beans
org.springframework
spring-context
org.springframework
spring-core
Added this in
/home/ahmed/cas-server-4.0.0/cas-management-webapp/pom.xml
My CAS fails when I add this part to
/var/lib/tomcat7/webapps/cas/WEB-INF/deployerConfigContext.xml
ldap://myserver:13060/";
manager-dn="cn=adminusername,cn=Users,dc=london-scottish,dc=com"
manager-password="mypassword" />
I don't quite understand this and I don't know if I am doing things right, so
any help is very much appreciated.
Kind regards,
Ahmed
--
You are currently subscribed to cas-user@lists.jasig.org as:
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Application not authorized to use CAS
Ok. Well, the cas log file would be the first place I'd look for errors with
regard to the 404 you're getting; you can find more details on it here:
http://jasig.github.io/cas/4.0.x/installation/Logging.html You may want to
turn the logging level up to DEBUG for additional details. It should typically
be logging details to your TOMCAT_LOG_FOLDER/cas.log
To the "application not authorized" piece, the problem should be in your
services configuration. You mentioned installing the service management webapp;
are you able to access it? If so, if you log into it, do you see any services
registered? If not, therein would lie your problem. I don't see where you
mentioned configuring services to be able to access your CAS server, so if you
didn't do that already, you'll definitely need to before anything will be able
to talk to your server.
Chris
>>> Ahmed Hadzic 05/06/15 6:19 PM >>>
Yes, i can login to CAS when I omit that piece of code, maybe I put it in
the wrong section of the file. When I add it, I get the error 404(service is
unavailable). In KOHA (CAS settings) I set CAS Server Url to be:
https://localhost:8443/cas and when I'm trying to access that over KOHA user
login(if you have CAS account click here) I get the error: Application is not
authorized to use CAS. I hope I explained my problem well enough.
Ahmed
Date: Wed, 6 May 2015 12:58:26 -0500
From: cmy...@mail.millikin.edu
To: hadzic_ah...@hotmail.com; cas-user@lists.jasig.org
Subject: Re: [cas-user] Application not authorized to use CAS
Just for clarification - things work correctly when you omit this piece of code:
ldap://myserver:13060/";
manager-dn="cn=adminusername,cn=Users,dc=london-scottish,dc=com"
manager-password="mypassword" />
but fail once you add it? And to be sure, the error message that you're
receiving is the "application not authorized to use CAS" message?
The reason I'm curious is because that chunk of code there has absolutely
nothing to do with an application talking to CAS; it's strictly for user-side
things.
Chris
>>> Ahmed Hadzic 05/06/15 10:03 AM >>>
Hello all,
I am about to graduate and for my senior design project I have to integrate CAS
with KOHA (Open ILS). I am using Ubuntu server 14.04, so far I made secure
connection for CAS, and now i need to login to CAS as KOHA user. This is where
I encountered problems. I found out that I need to get the CAS server's Manager
to add the OPAC Url to the Service management system in CAS itself.
When I try to access over browser(https://localhost:8443/cas/services) I get
redirected to CAS login page. I followed this documentation:
http://jasig.github.io/cas/4.0.x/installation/Service-Management.html.
Since I am pretty much newbie for CAS I would be thankful if you could help me.
Here are the details of what I did from the guide above:
LdapServiceRegistryDao
I added this in
/home/ahmed/cas-server-4.0.0/cas-management-webapp/src/main/webapp/WEB-INF/managementConfigContext.xml
JpaServiceRegistryDaoImpl
${database.dialect}
update
${database.batchSize}
I added this in
/home/ahmed/cas-server-4.0.0/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Installing the Services Management Webapp
org.jasig.cas
cas-management-webapp
${cas.version}
war
runtime
Added this in
/home/ahmed/cas-server-4.0.0/cas-management-webapp/pom.xml
Spring-security-ldap
org.springframework.security
spring-security-ldap
${spring.security.ldap.version}
org.springframework
spring-aop
org.springframework
spring-tx
org.springframework
spring-beans
org.springframework
spring-context
org.springframework
spring-core
Added this in
/home/ahmed/cas-server-4.0.0/cas-management-webapp/pom.xml
My CAS fails when I add this part to
/var/lib/tomcat7/webapps/cas/WEB-INF/deployerConfigContext.xml
ldap://myserver:13060/";
manager-dn="cn=adminusername,cn=Users,dc=london-scottish,dc=com"
manager-password="mypassword" />
I don't quite understand this and I don't know if I am doing things right, so
any help is very much appreciated.
Kind regards,
Ahmed
--
You are currently subscribed to cas-user@lists.jasig.org as:
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Application not authorized to use CAS
Ok. I think we need to take a step back and figure some things out first. Typically, you'll want to configure CAS by itself (which will default to "open mode" which lets everything authenticate against it.) Once you've verified that everything's functioning correctly (you can log into CAS, apps can authenticate against the server successfully, etc.) then you'll want to look at configuring service management. Based on what you'd typed below, it seems like you tried to do it all at once. Just to make sure - was CAS functioning properly before you tried to do the service management stuff? If not, I'd start over with the server and make sure that CAS is functioning properly before trying the service management stuff, otherwise you don't really know for sure where problems lie. If everything was working properly, and then you installed the service management config - When you try to log into the management webapp, does it tell you that you can't login, or that the webapp isn't authorized? Next - based on what you pasted in below, I'm seeing entries for both the LDAP service manager and JPA service registry, which are two entirely different things. If I'm interpreting your pasting correctly, it looks like you told the management webapp to use LDAP for services management, and CAS to use the database for it? Chris >>> Ahmed Hadzic 05/07/15 8:42 AM >>> I did mention installing the service management webapp and I'm not able to access it. I know if I manage to access it I can add KOHA as one of the CAS services and that would solve my problem. I tried to configure services following this guide http://jasig.github.io/cas/4.0.x/installation/Service-Management.html Is this the wright documentation to follow ? Ahmed Date: Thu, 7 May 2015 08:08:47 -0500 From: cmy...@mail.millikin.edu To: cas-user@lists.jasig.org Subject: RE: [cas-user] Application not authorized to use CAS Ok. Well, the cas log file would be the first place I'd look for errors with regard to the 404 you're getting; you can find more details on it here: http://jasig.github.io/cas/4.0.x/installation/Logging.html You may want to turn the logging level up to DEBUG for additional details. It should typically be logging details to your TOMCAT_LOG_FOLDER/cas.log To the "application not authorized" piece, the problem should be in your services configuration. You mentioned installing the service management webapp; are you able to access it? If so, if you log into it, do you see any services registered? If not, therein would lie your problem. I don't see where you mentioned configuring services to be able to access your CAS server, so if you didn't do that already, you'll definitely need to before anything will be able to talk to your server. Chris >>> Ahmed Hadzic 05/06/15 6:19 PM >>> Yes, i can login to CAS when I omit that piece of code, maybe I put it in the wrong section of the file. When I add it, I get the error 404(service is unavailable). In KOHA (CAS settings) I set CAS Server Url to be: https://localhost:8443/cas and when I'm trying to access that over KOHA user login(if you have CAS account click here) I get the error: Application is not authorized to use CAS. I hope I explained my problem well enough. Ahmed Date: Wed, 6 May 2015 12:58:26 -0500 From: cmy...@mail.millikin.edu To: hadzic_ah...@hotmail.com; cas-user@lists.jasig.org Subject: Re: [cas-user] Application not authorized to use CAS Just for clarification - things work correctly when you omit this piece of code: ldap://myserver:13060/"; manager-dn="cn=adminusername,cn=Users,dc=london-scottish,dc=com" manager-password="mypassword" /> but fail once you add it? And to be sure, the error message that you're receiving is the "application not authorized to use CAS" message? The reason I'm curious is because that chunk of code there has absolutely nothing to do with an application talking to CAS; it's strictly for user-side things. Chris >>> Ahmed Hadzic 05/06/15 10:03 AM >>> Hello all, I am about to graduate and for my senior design project I have to integrate CAS with KOHA (Open ILS). I am using Ubuntu server 14.04, so far I made secure connection for CAS, and now i need to login to CAS as KOHA user. This is where I encountered problems. I found out that I need to get the CAS server's Manager to add the OPAC Url to the Service management system in CAS itself. When I try to access over browser(https://localhost:8443/cas/services) I get redirected to CAS login page. I followed this documentation: http://jasig.github.io/cas/4.0.x/installation/Service-Management.html. Since I am pretty much newbie for CAS I would be thankful if you could help me. Here are the details of what I did from the guide above: LdapServiceRegistryDao I added this in /home/ahmed/cas-server-4.0.0/cas-management-webapp/src/main/webapp/WEB-INF/managementConfigContext.xml JpaServiceRegistryDaoImp
RE: [cas-user] Application not authorized to use CAS
Ok cool, that's good to know that CAS was working properly initially. Were your services able to connect to CAS successfully at that point as well? That would be the next thing to check, because that way you know that everything is configured properly. Once you've verified that you can log into CAS, and an application can use it for authentication, then you can safely move onto the next step - changing your user directory to something like LDAP (if needed.) Once that's been tested, then you can go about the service management configuration, because at that point, you know that everything's working, so you have a config that you can revert to if something doesn't go right. (Once I'm at this point, I usually create a copy of the folder so that if I totally hose a config, I don't have to undo it, I just copy it back from the working point.) For your services management, you'll want to keep it all in the same place - whether LDAP, database, etc. Otherwise it would be like taking putting your shopping list in your car, and then riding your bike to the store. Essentially - the management webapp is just a nice GUI front-end for the CAS services management functionality. You can configure services manually as well. So if you're telling the webapp to use LDAP and CAS to use the database, it won't work. Chris >>> Ahmed Hadzic 05/07/15 9:47 AM >>> Yes, CAS was functioning properly before I tried to do the service management stuff (I could login as default: casuser-Mellon) and I would get message (Login Successful). I haven't actually installed the service management config (I thought I need to do some configuration in CAS conf files and I would be able to access the service management). I was probably wrong. When I try to login to the management webapp (https://localhost:8443/cas-management) i get the error (http://pokit.org/get/?06a0b06e4b0c3f643ad66b6279a43fc5.jpg) I get the error "application is not authorized to use CAS" when I type: https://localhost:8443/cas/login?service=%2Fcgi-bin%2Fkoha%2Fopac-user.pl ( http://pokit.org/get/?55c4ebfd9cd76fd353e36a015b94f4d0.jpg, http://pokit.org/get/?4653a617ec77f3ecf60a6d1f094e2620.jpg) As for the LDAP service manager and JPA service registry I thought I need to use LDAP. They are two different things, but can I use them both or just one of them, and is it OK for management webapp to use LDAP for services management, and CAS to use the database for it? Maybe it's a stupid question but I really don't know these things quite enough to understand them. Ahmed Date: Thu, 7 May 2015 09:13:08 -0500 From: cmy...@mail.millikin.edu To: cas-user@lists.jasig.org Subject: RE: [cas-user] Application not authorized to use CAS Ok. I think we need to take a step back and figure some things out first. Typically, you'll want to configure CAS by itself (which will default to "open mode" which lets everything authenticate against it.) Once you've verified that everything's functioning correctly (you can log into CAS, apps can authenticate against the server successfully, etc.) then you'll want to look at configuring service management. Based on what you'd typed below, it seems like you tried to do it all at once. Just to make sure - was CAS functioning properly before you tried to do the service management stuff? If not, I'd start over with the server and make sure that CAS is functioning properly before trying the service management stuff, otherwise you don't really know for sure where problems lie. If everything was working properly, and then you installed the service management config - When you try to log into the management webapp, does it tell you that you can't login, or that the webapp isn't authorized? Next - based on what you pasted in below, I'm seeing entries for both the LDAP service manager and JPA service registry, which are two entirely different things. If I'm interpreting your pasting correctly, it looks like you told the management webapp to use LDAP for services management, and CAS to use the database for it? Chris >>> Ahmed Hadzic 05/07/15 8:42 AM >>> I did mention installing the service management webapp and I'm not able to access it. I know if I manage to access it I can add KOHA as one of the CAS services and that would solve my problem. I tried to configure services following this guide http://jasig.github.io/cas/4.0.x/installation/Service-Management.html Is this the wright documentation to follow ? Ahmed Date: Thu, 7 May 2015 08:08:47 -0500 From: cmy...@mail.millikin.edu To: cas-user@lists.jasig.org Subject: RE: [cas-user] Application not authorized to use CAS Ok. Well, the cas log file would be the first place I'd look for errors with regard to the 404 you're getting; you can find more details on it here: http://jasig.github.io/cas/4.0.x/installation/Logging.html You may want to turn the logging level up to DEBUG for additional details. It should typically be logging details to y
RE: [cas-user] Application not authorized to use CAS
Out of curiosity, what URL do you access your KOHA application from in your browser? The way that you have your URL set up in the serviceID, it should authenticate anything with a URL similar to: http://[anything_as_long_as_its_one_word_only].ibu.edu.ba/[anything] So things like these will work: http://server.ibu.edu.ba/something http://fred.ibu.edu.ba/something/else/here http://kuali.ibu.edu.ba/my/favorite/site.jsp but URLs like these will NOT work: https://[anything] ((notice the httpS) http://192.168.1.142/[anything] http://server.ibu.edu.ba:8443/[anything] (notice the alternate port) Basically, your setup is configured to only allow services to authenticate when the URL in your web browser matches something like in the first group; you won't be able to use alternate ports, SSL, IP addresses, etc. >>> Ahmed Hadzic 05/10/15 7:14 AM >>> Thank you very much for explaining these things. My mentor advised me that I don't need to use services management webapp, I can use XML configuration for service registry data. I am using InMemoryServiceRegistryDaoImpl and my configuration looks like this : http://*.ibu.edu.ba/**"; p:ssoEnabled="true" p:evaluationOrder="0" /> When I'm trying to authenticate KOHA I get that error: Application not authorized to use CAS. Did I miss something ? Kind regards, Ahmed Date: Thu, 7 May 2015 10:11:34 -0500 From: cmy...@mail.millikin.edu To: cas-user@lists.jasig.org Subject: RE: [cas-user] Application not authorized to use CAS Ok cool, that's good to know that CAS was working properly initially. Were your services able to connect to CAS successfully at that point as well? That would be the next thing to check, because that way you know that everything is configured properly. Once you've verified that you can log into CAS, and an application can use it for authentication, then you can safely move onto the next step - changing your user directory to something like LDAP (if needed.) Once that's been tested, then you can go about the service management configuration, because at that point, you know that everything's working, so you have a config that you can revert to if something doesn't go right. (Once I'm at this point, I usually create a copy of the folder so that if I totally hose a config, I don't have to undo it, I just copy it back from the working point.) For your services management, you'll want to keep it all in the same place - whether LDAP, database, etc. Otherwise it would be like taking putting your shopping list in your car, and then riding your bike to the store. Essentially - the management webapp is just a nice GUI front-end for the CAS services management functionality. You can configure services manually as well. So if you're telling the webapp to use LDAP and CAS to use the database, it won't work. Chris >>> Ahmed Hadzic 05/07/15 9:47 AM >>> Yes, CAS was functioning properly before I tried to do the service management stuff (I could login as default: casuser-Mellon) and I would get message (Login Successful). I haven't actually installed the service management config (I thought I need to do some configuration in CAS conf files and I would be able to access the service management). I was probably wrong. When I try to login to the management webapp (https://localhost:8443/cas-management) i get the error (http://pokit.org/get/?06a0b06e4b0c3f643ad66b6279a43fc5.jpg) I get the error "application is not authorized to use CAS" when I type: https://localhost:8443/cas/login?service=%2Fcgi-bin%2Fkoha%2Fopac-user.pl ( http://pokit.org/get/?55c4ebfd9cd76fd353e36a015b94f4d0.jpg, http://pokit.org/get/?4653a617ec77f3ecf60a6d1f094e2620.jpg) As for the LDAP service manager and JPA service registry I thought I need to use LDAP. They are two different things, but can I use them both or just one of them, and is it OK for management webapp to use LDAP for services management, and CAS to use the database for it? Maybe it's a stupid question but I really don't know these things quite enough to understand them. Ahmed Date: Thu, 7 May 2015 09:13:08 -0500 From: cmy...@mail.millikin.edu To: cas-user@lists.jasig.org Subject: RE: [cas-user] Application not authorized to use CAS Ok. I think we need to take a step back and figure some things out first. Typically, you'll want to configure CAS by itself (which will default to "open mode" which lets everything authenticate against it.) Once you've verified that everything's functioning correctly (you can log into CAS, apps can authenticate against the server successfully, etc.) then you'll want to look at configuring service management. Based on what you'd typed below, it seems like you tried to do it all at once. Just to make sure - was CAS functioning properly before you tried to do the service management stuff? If not, I'd start over with the server and make sure that CAS is functioning properly before trying the service m
RE: [cas-user] Application not authorized to use CAS
That "create a memory leak..." error comes about when you try to hot-deploy CAS in Tomcat (basically just re-loading the .war file with Tomcat already running, without first removing the application through Tomcat manager. CAS isn't necessarily designed to be hot-deployed like that.) With that said, I do it, and it works fine and hasn't caused issues. But I only do that very very rarely. On a test server, you shouldn't really have to worry about those specific error messages. However, I am concerned about the " Problem with directory [/usr/share/tomcat7/common/classes], exists: [false], isDirectory: [false], canRead: [false]" type errors. Those make me think that Tomcat isn't set up quite right, or the user you're running Tomcat as doesn't have permission to view the folders. That could definitely cause weirdness with your webapps. You might want to check to make sure that's all set up correctly before proceeding just to be safe. >>> Ahmed Hadzic 05/12/15 5:44 AM >>> The Url I am using to acces KOHA over web browser is : http://library.ibu.edu.ba I've tried to use the following Url's in my deployerConfigContext.xml : http://library.ibu.edu.ba http://library.ibu.edu.ba/cgi-bin/koha/opac-user.pl and I still get the error that application is not authorized to use CAS. This is my Catalina log, maybe we can find out what is preventing KOHA to authenticate with CAS. I am not quite sure about this error message SEVERE: The web application [/cas] appears to have started a thread named [scheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. May 12, 2015 12:17:40 PM org.apache.catalina.startup.ClassLoaderFactory validate File WARNING: Problem with directory [/usr/share/tomcat7/common/classes], exists: [fa lse], isDirectory: [false], canRead: [false] May 12, 2015 12:17:42 PM org.apache.catalina.startup.ClassLoaderFactory validate File WARNING: Problem with directory [/usr/share/tomcat7/common], exists: [false], is Directory: [false], canRead: [false] May 12, 2015 12:17:43 PM org.apache.catalina.startup.ClassLoaderFactory validate File WARNING: Problem with directory [/usr/share/tomcat7/server/classes], exists: [fa lse], isDirectory: [false], canRead: [false] May 12, 2015 12:17:43 PM org.apache.catalina.startup.ClassLoaderFactory validate File WARNING: Problem with directory [/usr/share/tomcat7/server], exists: [false], is Directory: [false], canRead: [false] May 12, 2015 12:17:43 PM org.apache.catalina.startup.ClassLoaderFactory validate File WARNING: Problem with directory [/usr/share/tomcat7/shared/classes], exists: [fa lse], isDirectory: [false], canRead: [false] May 12, 2015 12:17:44 PM org.apache.catalina.startup.ClassLoaderFactory validate File WARNING: Problem with directory [/usr/share/tomcat7/shared], exists: [false], is Directory: [false], canRead: [false] May 12, 2015 12:18:13 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-bio-8443"] May 12, 2015 12:18:21 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 36771 ms May 12, 2015 12:18:21 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina May 12, 2015 12:18:21 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.52 (Ubuntu) May 12, 2015 12:18:22 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive /var/lib/tomcat7/webapps/cas.war May 12, 2015 12:19:44 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT May 12, 2015 12:19:52 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8443"] May 12, 2015 12:19:52 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 91100 ms May 12, 2015 12:23:30 PM org.apache.coyote.AbstractProtocol pause INFO: Pausing ProtocolHandler ["http-bio-8443"] May 12, 2015 12:23:30 PM org.apache.catalina.core.StandardService stopInternal INFO: Stopping service Catalina May 12, 2015 12:23:31 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: The web application [/cas] appears to have started a thread named [FileWatchdog] but has failed to stop it. This is very likely to create a memory leak. May 12, 2015 12:23:31 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: The web application [/cas] appears to have started a thread named [scheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. May 12, 2015 12:23:31 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads cgi-bin/koha/opac-user.pl May 12, 2015 12:23:31 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: The web application [/cas] appears to have started a thread named [scheduler_Worker-3] but has failed to stop it. This is very likely to create a memory lea
RE: [cas-user] Application not authorized to use CAS
No worries at all, I'm glad to try to help you out. Your tomcat logs look a lot happier now, so that's definitely good. One thing to make sure to check - on your application that's trying to connect to CAS, make sure that the edu.yale.its.tp.cas.client.filter.serverName servername.school.edu code is set up correctly (this is from the Java CAS client, contained in the web.xml file of one of my test apps.) (Different CAS clients will have this information set up differently.) If the servername.school.edu doesn't exactly match what's in your CAS services config, it'll throw that same error. So if in my java app I have "server.school.edu" configured for that serverName parameter, but in CAS have "server1.school.edu", it won't work. https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml Chris >>> Ahmed Hadzic 05/13/15 8:46 AM >>> I tried to fix this " Problem with directory [/usr/share/tomcat7/common/classes], exists: [false], isDirectory: [false], canRead: [false]" . I tried many things, reinstalling tomcat7, deleting tomcat7 and installing lower version tomcat6, installing tomcat7 manually, etc. The thing is when I install tomcat7 via apt-get, during the installation I see : not creating directory /usr/share/tomcat7. I lost any hope to fix this. Then I decided to copy the directories from /var/lib/tomcat7 to /usr/share/tomcat7 and I couldn't copy the whole directories with files inside, so I copied file by file. The result is, i don't have that WARNING anymore,but still have the error: Application not authorized to use CAS. This is my Catalina log now: May 12, 2015 4:35:38 PM org.apache.coyote.AbstractProtocol pause INFO: Pausing ProtocolHandler ["http-bio-8443"] May 12, 2015 4:35:39 PM org.apache.catalina.core.StandardService stopInternal INFO: Stopping service Catalina May 12, 2015 4:35:43 PM org.apache.catalina.loader.WebappClassLoader clearRefere ncesThreads SEVERE: The web application [/cas] appears to have started a thread named [FileW atchdog] but has failed to stop it. This is very likely to create a memory leak. May 12, 2015 4:35:43 PM org.apache.coyote.AbstractProtocol stop INFO: Stopping ProtocolHandler ["http-bio-8443"] May 12, 2015 4:35:43 PM org.apache.coyote.AbstractProtocol destroy INFO: Destroying ProtocolHandler ["http-bio-8443"] May 12, 2015 4:35:56 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-bio-8443"] May 12, 2015 4:36:00 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 11400 ms May 12, 2015 4:36:01 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina May 12, 2015 4:36:01 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.52 (Ubuntu) May 12, 2015 4:36:01 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive /var/lib/tomcat7/webapps/cas.war May 12, 2015 4:36:58 PM org.apache.catalina.util.SessionIdGenerator createSecureRandom INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [328] milliseconds. May 12, 2015 4:37:05 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT May 12, 2015 4:37:06 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8443"] May 12, 2015 4:37:07 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 66325 ms (END) Chris, I know I'm annoying, but I am also desperate, I really don't know what to do anymore. Ahmed Date: Tue, 12 May 2015 08:12:26 -0500 From: cmy...@mail.millikin.edu To: hadzic_ah...@hotmail.com; cas-user@lists.jasig.org Subject: RE: [cas-user] Application not authorized to use CAS That "create a memory leak..." error comes about when you try to hot-deploy CAS in Tomcat (basically just re-loading the .war file with Tomcat already running, without first removing the application through Tomcat manager. CAS isn't necessarily designed to be hot-deployed like that.) With that said, I do it, and it works fine and hasn't caused issues. But I only do that very very rarely. On a test server, you shouldn't really have to worry about those specific error messages. However, I am concerned about the " Problem with directory [/usr/share/tomcat7/common/classes], exists: [false], isDirectory: [false], canRead: [false]" type errors. Those make me think that Tomcat isn't set up quite right, or the user you're running Tomcat as doesn't have permission to view the folders. That could definitely cause weirdness with your webapps. You might want to check to make sure that's all set up correctly before proceeding just to be safe. >>> Ahmed Hadzic 05/12/15 5:44 AM >>> The Url I am using to acces KOHA over web browser is : http://library.ibu.edu.ba I've tried to use the following Url's in my deploy
Re: [cas-user] debugging AUTHENTICATION_FAILED
Hey Phil - You don't happen to use eDirectory on the back-end, do you? If so, I can send you some directions that can make troubleshooting something like this a TON easier... Chris >>> "Romov, Phil" 05/21/15 3:55 PM >>> Misagh, Thanks for your reply! However, I might need significantly more schooling on how to do this.. I tried googling around for some hints, but saw a mish-mash of .properties and .xml files and didn¹t know where to start. So I tried a stab in the dark, adding to webapps/cas/WEB-INF/cas.properties: log4j.org.jasig.cas=DEBUG And restarted tomcat However, I didn¹t get anything new in the logs, the same basic error AUTHENTICATION_FAILED and no detail how to resolve itŠ Please advise Thanks! Phil On 5/20/15, 4:10 PM, "Misagh Moayyed" wrote: >The easiest way would be to review your log4j file, and adjust relevant >levels to DEBUG, and watch the output. Specifically, you want to have >org.jasig.cas to DEBUG and packages that deal with jdbc and your oracle >driver. > >-Original Message- >From: Romov, Phil [mailto:pro...@harryfox.com] >Sent: Wednesday, May 20, 2015 9:48 AM >To: cas-user@lists.jasig.org >Subject: [cas-user] debugging AUTHENTICATION_FAILED > >I'm essentially in the same boat as >http://stackoverflow.com/questions/24387170/whats-the-easiest-way-to-debug >-jasig-cas-when-using-jdbc-and-oracle > >(except I'm in mysql not oracle) > >Are there any other logs to look at, flags to enable more logs? Please >point me in the right direction > >Thanks >Phil > >-- >You are currently subscribed to cas-user@lists.jasig.org as: >mmoay...@unicon.net To unsubscribe, change settings or access archives, >see http://www.ja-sig.org/wiki/display/JSG/cas-user > > >-- >You are currently subscribed to cas-user@lists.jasig.org as: >pro...@harryfox.com >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Cas changing password
We'd used PWM in the past, it's quite cool, and very very capable :) >>> Scott Massari 06/18/15 10:52 AM >>> We currently use PWM ... https://code.google.com/p/pwm/ From: hari.mailvaga...@ubc.ca To: cas-user@lists.jasig.org Subject: RE: [cas-user] Cas changing password Date: Tue, 16 Jun 2015 19:10:27 + http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html From: Manfredo Hopp [mailto:mhopp.coni...@gmail.com] Sent: June-16-15 7:41 AM To: cas-user@lists.jasig.org Subject: [cas-user] Cas changing password Hello, we are considering using Cas as primary authentication system going through Cas login cutomized page. In general authentication systems consider changin password during authentication process. Therefore some kind of changing password process is triggered. Does Cas provide something to achieve this? Regards Manfredo -- You are currently subscribed to cas-user@lists.jasig.org as: hari.mailvaga...@ubc.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott_3...@hotmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4.0 & AD & ADFS & OFFICE 365
I think you should be able to... Our O365 instance has accounts provisioned and syn'd through a PowerShell script. We did a conference call with an O365 specialist a M$ a few months ago, and we were told this about Shib: There are two different types of applications in the O365 suite: WS-TRUST: Active protocols, which includes the physical Office clients WS-Federation: Passive protocols, which are the web-based apps The TRUST protocol apps are not able to be shib'd at this point, but the Federation protocol apps are. So as long as you're provisioning the accounts into the O365 environment, you should be able to have the web apps shib-enabled. Chris >>> 06/25/15 1:43 PM >>> Ok, Thanks you very much. Le 2015-06-25 02:21, Misagh Moayyed a écrit : > At this point, I don’t think it's possible. Your other option would be > to > have ADFS <-> Shib <-> Shib/CAS Authn <-> CAS. 4.1.SNAPSHOT presents no > such > feature that I am aware of. If ADFS supports gets added, it would only > be to > make CAS, an ADFS client and not the other way around. > >> -Original Message- >> From: daniel.char...@unice.fr [mailto:daniel.char...@unice.fr] >> Sent: Wednesday, June 24, 2015 1:58 PM >> To: cas-user@lists.jasig.org >> Subject: [cas-user] CAS 4.0 & AD & ADFS & OFFICE 365 >> >> Hello, >> >> I ask myself a question. Could you give me your opinion ? >> >> A person from Microsfot presents us the Office 365 solution in our >> university. >> >> To connect to Office 365, they advise us to install an AD server with >> a >> frontal ADFS server that connects to our Shibboleth authentication >> server >> (I >> understand that only CAS version 4.1 SNAPSHOT allows SAML2.0 with adfs >> . >> Maybe im wrong...) >> >> But I wonder : is it possible to simply connect the AD server with the >> CAS >> 4.0 and so do not use adfs server? >> >> The Web client goes through the CAS server and the AD server that >> integrates >> the connection and sends the profile to the AD server AZURE Office 365 >> ... >> is it possible? >> >> Thank you for your help >> >> Daniel CHARLOT >> Université de Nice. >> >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> mmoay...@unicon.net To unsubscribe, change settings or access >> archives, >> see >> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Problem with CAS Clustering and LT parameter
Personally, we just set up our three-node CAS4 instance with Hazelcast and front-ended it with our Barracuda (no special config required.) It was mch easier, took less than an hour to get set up... We verified that we can kill any number of nodes, and as long as one is up, everything fails over splendidly :) https://github.com/unicon-cas-addons/cas-addon-hazelcast-ticket-registry Added the following tag to web.xml, right before the closing tag to make it deploy between servers: Add the following code net.unicon.cas cas-addon-hazelcast-ticket-registry 1.0.0-GA runtime to cas-server-webapp/pom.xml edit cas-server-webapp/src/main/webapp/WEB-INF/web.xml add classpath*:/META-INF/spring/*.xml to contextConfigLocation /WEB-INF/spring-configuration/*.xml /WEB-INF/deployerConfigContext.xml classpath*:/META-INF/spring/*.xml Add the line hz.cluster.members=muwacnode1.millikin.edu,muwacnode2.millikin.edu,muwacnode3.millikin.edu to cas-server-webapp/src/main/webapp/WEB-INF/cas.properties Recompile, redeploy, all set :) Chris >>> Dave Steiner 07/06/15 11:37 AM >>> We've been running a load-balanced CAS cluster of two nodes for a number of years now. The TicketRegistry is rep/memcached. Evidently our LT processing has been broken for quite some time. As we are trying to upgrade from 3.3.5 to 3.5.2 we noticed problems due to the LT parameter not being accessible across both CAS instances. In researching this, the Cas Clustering wiki page (https://wiki.jasig.org/display/CASUM/Clustering+CAS) suggests to use Tomcat Session Replication. We don't have any experience with Tomcat Session Replication. Is this definitely the way to go? How does this hold up under heavy loads? I'm assuming no one is recommending sticky sessions at the load balancer? Reasons? Also, I read some messages about putting the LT parameter into the TicketRegistry. Was that ever tried? Is it something that the CAS community recommends or not? Thanks in advance for all help and suggestions. -ds -- Dave Steiner stei...@rutgers.edu Identity Management, ESS ASB101; 848.445.5433 Rutgers University, Office of Information Technology -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Casifying ILLiad - is anyone doing this ?
We started down that road a few years ago, but it was fraught with random issues on their end (at least at the time.) So we ended up just going with adding configuration to our EZ Proxy server, and pointing that server against our LDAP backend (which is the same source as our CAS instance.) Chris >>> Chris Adams 07/07/15 8:25 PM >>> Hello all, We use an Interlibrary software called ILLiad. I have utilized the work of another person who developed a custom cas client and interfaced it with CAS. I have not been able to follow up with him about the errors I am seeing. I thought that someone on the list might be using CAS with ILLiad and have some insight. I copied the dotnetcasclient.dll into what I think is the application executable folder. I actually created a /Bin folder in the executable folder since there wasn’t one and stuffed the dll there. I modified the root website web.conf as instructed to give some presence to the cas client. The process that I am using for testing is to go from our library catalog, utilizing a request with search parameters and passing it to the application. Obviously, the intent was for it to go the CAS login page and then pass the search parameters to the application. I get a generic 500 server error, but the event viewer gives a little more information that might be useful. I think that something is not right with the location of the dotnetcasclient.dll because the error messages indicate that it or a dependency can’t be found. I have tried putting it in several different location, but it is not working I have included a bit of the information from the event viewer below. Many thanks, Christopher Adams 008 A configuration error has occurred. 7/7/2015 5:22:53 PM 7/8/2015 12:22:53 AM e9ef81926e3b4ed2b8d7798e7e660c30 1 1 0 /LM/W3SVC/1/ROOT/ILLiad-1-130807885685829466 Full /ILLiad C:\inetpub\wwwroot\illiad\ MyServerComputerName 10312 w3wp.exe NT AUTHORITY\NETWORK SERVICE ConfigurationErrorsException Could not load file or assembly 'DotNetCasClient' or one of its dependencies. The system cannot find the file specified. at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit) at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement) at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement) at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList) at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext) at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) Could not load file or assembly 'DotNetCasClient' or one of its dependencies. The system cannot find the file specified. at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type) at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTyBoolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark) at System.Type.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) at System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) http://myserver.com/illiad/illiad.dll?Action=10&Form=30&sid=CATALOG&genre=loan&title=Salmon [owned by OSL ]&ISBN=9780394533971&aulast=Sakurai&date=c1984.&rft.pub=Knopf ; Random House ; Distributed by Random House,&rft.place= /illiad/illiad.dll -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, ch
RE: [cas-user] Casifying ILLiad - is anyone doing this ?
No problem at all! You could also fudge the issue by building a CASified "front end" for EZ Proxy - that way, it will *appear* to the end-users that they're CASing directly into EZ Proxy, but in reality, the application will be the recipient, and it'll just pass the credentials along. There are CAS options that you can configure to pass the password along to the client (ClearPass) - http://jasig.github.io/cas/4.0.x/integration/ClearPass.html And then you could build a page like - Loading... https://ezproxy.something.edu:2443/login";> Chris >>> Chris Adams 07/08/15 3:32 PM >>> Thank you for your reply. I had seen your posts about Ezproxy, but our Management is stuck on CAS for everything, though they *know* nothing about it. We also utilize Ezproxy, so that may be an avenue that I pursue if this does not pan out. Many thanks, Christopher Adams From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Wednesday, July 08, 2015 5:13 AM To: cas-user@lists.jasig.org; Chris Adams Subject: Re: [cas-user] Casifying ILLiad - is anyone doing this ? We started down that road a few years ago, but it was fraught with random issues on their end (at least at the time.) So we ended up just going with adding configuration to our EZ Proxy server, and pointing that server against our LDAP backend (which is the same source as our CAS instance.) Chris >>> Chris Adams 07/07/15 8:25 PM >>> Hello all, We use an Interlibrary software called ILLiad. I have utilized the work of another person who developed a custom cas client and interfaced it with CAS. I have not been able to follow up with him about the errors I am seeing. I thought that someone on the list might be using CAS with ILLiad and have some insight. I copied the dotnetcasclient.dll into what I think is the application executable folder. I actually created a /Bin folder in the executable folder since there wasn’t one and stuffed the dll there. I modified the root website web.conf as instructed to give some presence to the cas client. The process that I am using for testing is to go from our library catalog, utilizing a request with search parameters and passing it to the application. Obviously, the intent was for it to go the CAS login page and then pass the search parameters to the application. I get a generic 500 server error, but the event viewer gives a little more information that might be useful. I think that something is not right with the location of the dotnetcasclient.dll because the error messages indicate that it or a dependency can’t be found. I have tried putting it in several different location, but it is not working I have included a bit of the information from the event viewer below. Many thanks, Christopher Adams 008 A configuration error has occurred. 7/7/2015 5:22:53 PM 7/8/2015 12:22:53 AM e9ef81926e3b4ed2b8d7798e7e660c30 1 1 0 /LM/W3SVC/1/ROOT/ILLiad-1-130807885685829466 Full /ILLiad C:\inetpub\wwwroot\illiad\ MyServerComputerName 10312 w3wp.exe NT AUTHORITY\NETWORK SERVICE ConfigurationErrorsException Could not load file or assembly 'DotNetCasClient' or one of its dependencies. The system cannot find the file specified. at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit) typeName, String propertyName, ConfigurationElement configElement) at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement) at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList) at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext) at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) Could not load file or assembly 'DotNetCasClient' or one of its dependencies. The system cannot find the file specified. at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type) at System.RuntimeTypeHandle.GetType
RE: [cas-user] Casifying ILLiad - is anyone doing this ?
Oh, and, should you choose to do this, your form post URL would be something like - String queryString = "?" + request.getQueryString(); https://ezproxyserver.school.edu:2443/login?url=https://school.illiad.oclc.org/illiad/illiad.dll/OpenURL<%=queryString%> >>> Chris Adams 07/08/15 3:32 PM >>> Thank you for your reply. I had seen your posts about Ezproxy, but our Management is stuck on CAS for everything, though they *know* nothing about it. We also utilize Ezproxy, so that may be an avenue that I pursue if this does not pan out. Many thanks, Christopher Adams From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Wednesday, July 08, 2015 5:13 AM To: cas-user@lists.jasig.org; Chris Adams Subject: Re: [cas-user] Casifying ILLiad - is anyone doing this ? We started down that road a few years ago, but it was fraught with random issues on their end (at least at the time.) So we ended up just going with adding configuration to our EZ Proxy server, and pointing that server against our LDAP backend (which is the same source as our CAS instance.) Chris >>> Chris Adams 07/07/15 8:25 PM >>> Hello all, We use an Interlibrary software called ILLiad. I have utilized the work of another person who developed a custom cas client and interfaced it with CAS. I have not been able to follow up with him about the errors I am seeing. I thought that someone on the list might be using CAS with ILLiad and have some insight. I copied the dotnetcasclient.dll into what I think is the application executable folder. I actually created a /Bin folder in the executable folder since there wasn’t one and stuffed the dll there. I modified the root website web.conf as instructed to give some presence to the cas client. The process that I am using for testing is to go from our library catalog, utilizing a request with search parameters and passing it to the application. Obviously, the intent was for it to go the CAS login page and then pass the search parameters to the application. I get a generic 500 server error, but the event viewer gives a little more information that might be useful. I think that something is not right with the location of the dotnetcasclient.dll because the error messages indicate that it or a dependency can’t be found. I have tried putting it in several different location, but it is not working I have included a bit of the information from the event viewer below. Many thanks, Christopher Adams 008 A configuration error has occurred. 7/7/2015 5:22:53 PM 7/8/2015 12:22:53 AM e9ef81926e3b4ed2b8d7798e7e660c30 1 1 0 /LM/W3SVC/1/ROOT/ILLiad-1-130807885685829466 Full /ILLiad C:\inetpub\wwwroot\illiad\ MyServerComputerName 10312 w3wp.exe NT AUTHORITY\NETWORK SERVICE ConfigurationErrorsException Could not load file or assembly 'DotNetCasClient' or one of its dependencies. The system cannot find the file specified. at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit) at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement) at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement) at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList) at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext) at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlerMethodInfo[] handlers, IntPtr appContext, HttpContext context) at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) Could not load file or assembly 'DotNetCasClient' or one of its dependencies. The system cannot find the file specified. at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type) at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName) at System.RuntimeType.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark) at S
Re: [cas-user] Drop the management webapp
Honestly, our CAS configuration changes so infrequently that we don't even need to use a regular service registry; we just have our configs stored in the deployerConfigContext.xml file directly. Chris >>> Jérôme LELEU 07/26/15 9:08 AM >>> Hi, The CAS service model has strongly evolved for the CAS server v4.1 and the powerful new policies are hard to define through a UI. Maintining this webapp requires a lot of work. The default services registry is now based on JSON files which also makes manual editing a lot easier. I'm in favor of dropping the CAS management webapp or maybe first moving it into a separate project. I'd like to get feedbacks on this idea: do CAS deployers use it? How? Thanks. Best regards, Jérôme -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Drop the management webapp
That's very true... For us it isn't a huge deal to restart them because we've got a 3-node cluster, but it would be nice if it would rescan the file. I can watch the logs and see it regularly saying that it's "found" all of the services, but it must just be checking from memory rather than actually watching the file for changes. Chris >>> "Ourada, John" 07/27/15 8:20 AM >>> Ours changes very infrequently also, but has started changing more now that we have external apps that need to authenticate. Those require a manual entry in the deployer config file. It requires a manual restart of CAS application to reload them. I haven’t looked at 4.1 yet, but it would be nice if the app would look for updated service registry files and reloaded them periodically. -john From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Monday, July 27, 2015 7:16 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Drop the management webapp Honestly, our CAS configuration changes so infrequently that we don't even need to use a regular service registry; we just have our configs stored in the deployerConfigContext.xml file directly. Chris >>> Jérôme LELEU 07/26/15 9:08 AM >>> Hi, The CAS service model has strongly evolved for the CAS server v4.1 and the powerful new policies are hard to define through a UI. Maintining this webapp requires a lot of work. The default services registry is now based on JSON files which also makes manual editing a lot easier. I'm in favor of dropping the CAS management webapp or maybe first moving it into a separate project. I'd like to get feedbacks on this idea: do CAS deployers use it? How? Thanks. Best regards, Jérôme -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Intermittent login issue
One thing to check - does the CASified application have the correct IP address for the CAS server? We had something similar happen when we put our CAS environment behind our Barracuda, and one of our hosted third-party applications still had the old DNS entry cached. Chris >>> Juan Quintanilla 07/30/15 9:29 AM >>> Hi, We are implementing CAS 3.6.0 using ldap authentication, with oracle for the ticket registry, and tomcat 8. We have the environment running on an F5 load balancer but currently with only one web server in the loop. I just wanted to ask if any have encountered intermittent issues with logging into an application using CAS. What I'm encountering is a user hits the cas login page after being redirected by the client application but after they enter their credentials they are redirected to the login page with the login information cleared. If they try again logging again the process just repeats, if they enter bad credentials no error message is displayed on the screen or even in the logs. If the user closes their browser and clears their cache they are able to login. In the Tomcat access logs we notice that there is a post during that transaction but we didn't see a jessionid in the url string associated with the post. We are removing ldap pooling and extending the cas session timeout in the web.xml to see if maybe their session is expiring. It does not happen all the time its sporadic so it makes it difficult to troubleshoot. We have talked to our networking team but they don't seem to see any problems on their side, they have just extended the session timeout. Our last resort would be to take the environment off the F5 and see if that helps or place the old environment on the F5 to see if the problem persists on that environment then we can narrow it down the issue being on the F5 load balancer. Since the problem does not always happen we having a hard time determining whether the problem is with the load balancer or some configuration on the CAS/Tomcat side. Has anyone encountered something similar, any suggestions will really help. ___ Juan Quintanilla jquin...@fiu.edu -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS SSO login issue
Out of curiosity, is the application set to force a new login? Eg., we have a CRM application that appends "&renew=true" to the end of the login URLs, which forces CAS to make the user log in, even if they just logged into CAS 10 seconds before. Chris >>> Juan Quintanilla 08/10/15 3:29 PM >>> Hi, We recently encountered a new issue where user logs into application using CAS and authenticates then immediately goes to another site using CAS and they are presented with the login page instead of being signed in so they have to login again. We are running CAS 3.6.0 and Tomcat 8 with ldap backend, it seemed to be working before and the only changes that we have made was removing the ldap pooling from the deployer config and they modified the load balancer sticky sessions to longer time. We are wondering what might be causing the application not check if there is a Ticket already for the session. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Hazelcast / Slow CAS
.java:735) 8 threads running in org.apache.jk.common.ChannelSocket.read(ChannelSocket.java:628) 3 threads running in com.sun.jndi.ldap.Connection.run(Connection.java:849) Total Waiting for I/O read Threads: 3940 Threads in state Waiting for I/O accept 1 threads running in System Thread 1 threads running in org.apache.catalina.core.StandardServer.await(StandardServer.java:431) 1 threads running in org.apache.jk.common.ChannelSocket.accept(ChannelSocket.java:311) 1 threads running in org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:178) Total Waiting for I/O accept Threads: 4 Threads in state Polling Total Polling Threads: 0 Threads in state Sleeping 1 threads running in com.novell.webaccess.common.BaseServlet.run(BaseServlet.java:699) 1 threads running in com.novell.webaccess.common.Log.run(Log.java:760) 1 threads running in org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1631) 1 threads running in org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupChannel.java:660) 1 threads running in org.apache.catalina.tribes.membership.McastServiceImpl$SenderThread.run(McastServiceImpl.java:455) Total Sleeping Threads: 5 Threads in state Unknown (system) Total Unknown (system) Threads: 0 Total # of VM threads: 9 >>> Bryan Wooten 08/31/15 3:45 PM >>> Thanks Chris! This is really helpful. Bryan Wooten Tel: (801)585-9323 Email: bryan.woo...@utah.edu From: Christopher Myers [mailto:cmy...@mail.millikin.edu] Sent: Monday, August 31, 2015 2:35 PM To: cas-user@lists.jasig.org; Bryan Wooten Subject: Re: [cas-user] Hazelcast / Slow CAS In the past when I've run into things like this, I've started a VNC session on the server and let jvisualvm watch the tomcat process so that it could give me statistics on gc activity. For memory tuning, I spent roughly two months slowly tweaking the config for our (very active) cluster nodes (which also host our webmail and campus portal,) and came up with: -Xms6g -Xmx6g -Xss512k -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true -XX:+UseCompressedOops -XX:MaxPermSize=256m -XX:NewRatio=3 -XX:SurvivorRatio=8 -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+DisableExplicitGC -XX:+UseCMSInitiatingOccupancyOnly -XX:+CMSClassUnloadingEnabled -XX:+CMSScavengeBeforeRemark -XX:CMSInitiatingOccupancyFraction=68 This routinely ends up with regular minor collections, and very few major collections even after an extended period of high use. For additional monitoring, we also have a home-built diagnostics page (attached) that we run on all of our cluster nodes, polled by our load balancer. It polls things like used db threads, server connections, ldap connections, heap size, gc activity, etc. : 15:16pm up 19 days 5:55, 0 users, load average: 0.19, 0.31, 0.31 Connection to PROD ok : connections in use/idle/max: 18/4/25 Connection to Moodle ok : connections in use/idle/max: 1/1/25 Connection to Jira ok : connections in use/idle/max: 1/0/25 Connection to Diebold ok : connections in use/idle/max: 1/1/25 Connection to LDAP on mulinedir1 is ok. Connection to LDAPS on mulinedir1 is ok. Connection to LDAP on mulinedir2 is ok. Connection to LDAPS on mulinedir2 is ok. Java Heap in use/max: 2140M/5990M Java non-Heap in use/max: 112M/304M Number of Java threads: 177 Peak Java threads: 226 Garbage Collection: Copy: 5969 Garbage Collection: ConcurrentMarkSweep: 11 Waiting for I/O accept: org.apache.catalina.core.StandardServer active internet connections (w/o servers) proto recv-q send-q local address foreign address state tcp 9630 0 muwacnode1.millik:60700 muoradbprod.milli:6010 established tcp 10200 0 muwacnode1.millik:54433 muoradbprod.milli:6010 established tcp 10200 0 muwacnode1.millik:54433 muoradbprod.milli:6010 establ tcp 0 0 muwacnode1.millik:44428 muoradbprod.milli:6010 established tcp 0 0 localhost:8009 localhost:40585 established --- ESTABLISHED: 104 TIME_WAIT: 42 CLOSE_WAIT: 2 LDAP: 45 LDAPS: 0 HTTP: 0 HTTPS: 3 eDir1 Est: 7 eDir2 Est: 10 Filesystem Size Used Avail Use% Mounted on /dev/sda4 74G 17G 58G 23% / udev 4.0G 96K 4.0G 1% /dev tmpfs 4.0G 0 4.0G 0% /dev/shm /dev/sda1 92M 21M 66M 25% /boot /dev/sda3 4.0G 1.6G 2.5G 40% /var 172.16.Y.X:/srv/www/htdocs 26G 8.7G 16G 36% /srv/www/htdocs 172.16.Y.X:/var/export 4.0G 2.0G 1.9G 51% /var/export 172.16.Y.X:/srv/deploy 26G 8.7G 16G 36% /srv/deploy 172.16.Y.X:/mnt/data 26G 8.7G 16G 36% /data //muoesfile2/data 3.2T 2.6T 610G 81% /mnt/oesfile2 myMILLIKIN project is deployed. Finally, we run JavaMelody on our cluster nodes as well, which gives some really good statistics (note that these stats also include our campus portal and webmail,
Re: [cas-user] Attribute resolved but not released?
I'd run into something similar when I set up attribute release on our end;
these are the notes I made about it at the time:
Found this:
http://jasig.275507.n4.nabble.com/ldaptive-integration-td4660076.html
Which points to this:
http://jasig.github.io/cas/development/installation/LDAP-Authentication.html#active-directory-authentication
Had to add this to the deployerConfigContext.xml file:
and modify the seardhConnectionPool bean to reference the
searchConnectionFactory:
then add the ldap.managerDn and ldap.managerPassword attrs to the
cas.properties file.
After doing so, the attrs are returned correctly
>>> Chris Irwin 09/03/15 10:55 AM >>>
After some reconfigurations I was able to get the attribute map to
populate:
2015-09-03 11:34:19,142 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth
2015-09-03 11:35:49,483 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered
services.
2015-09-03 11:35:49,483 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service
^(https?|imaps?)://.*
2015-09-03 11:35:49,483 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services.
2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth
2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth
2015-09-03 11:36:56,144 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP
authentication for 2233445+password
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response:
[org.ldaptive.auth.AuthenticationResponse@1429278053::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
ldapEntry=[dn=CN=2233445,OU=PeopleSoft_UGrads,DC=students,dc=root,dc=njcu[[legacyExchangeDN[/o=First
Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=2233445557]], [mail[asa...@njcu.edu]],
[proxyAddresses[SMTP:asa...@njcu.edu, smtp:asa...@live.njcu.edu,
smtp:asa...@exchange.njcu.edu]], [uSNCreated[59219964]],
[whenChanged[20150828141421.0Z]], [objectClass[top, person,
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Apple]],
[objectGUID[BbC~1?uF??!%??]], [extensionAttribute15[GALEnabled]],
[instanceType[0]], [objectSid[~dS?0n?.?^?M ]],
[whenCreated[20150810155326.0Z]], [msExchHideFromAddressLists[TRUE]],
[dSCorePropagationData[1601010100.0Z]], [sn[Sauce]],
[userAccountControl[66048]], [lastLogonTimestamp[130852448531619587]],
[mailNickname[ASauce]], [msExchRecipientTypeDetails[128]], [cn[2233445]],
[msExchRecipientDisplayType[6]], [sAMAccountName[2233445]],
[targetAddress[SMTP:asa...@live.njcu.edu]], [sAMAccountType[805306368]],
[userPrincipalName[asa...@njcu.edu]], [showInAddressBook[CN=All Mail
Users(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu, CN=All
Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu]], [displayName[Apple
Sauce]], [pwdLastSet[130852448484974989]], [name[2233445]],
[msExchPoliciesExcluded[{26491cfc-9e50-4857-861b-0cb8df22b5d7}]],
[msExchUMDtmfMap[emailAddress:272823, lastNameFirstName:2233445,
firstNameLastName:2233445]],
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]],
[distinguishedName[CN=2233445,OU=PeopleSoft_UGrads,DC=students,DC=root,DC=njcu]],
[internetEncoding[1310720]], [msExchVersion[44220983382016]],
[uSNChanged[60537450]]], responseControls=null, messageId=-1],
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sAMAccountName[2233445]]
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [cn[2233445]]
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [givenName[Apple]]
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sn[Sauce]]
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [mail[asa...@njcu.edu]]
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [displayName[Apple Sauce]]
2015-09-03 11:36:56,175 INFO
[org.jasig.cas.authentication.Policy
Re: [cas-user] CAS compile errors
Hi Ron, I get a bunch of random issues when I try to compile v4.x as well; I just add the flag -Dmaven.test.skip=true to my compile command. The errors I get are the same as in https://issues.jasig.org/browse/CAS-799 All works fine and no problems running in production for several months now. Chris >>> Ron Clark 10/12/15 10:32 AM >>> Am trying to get cas-4.1 compiled and am getting errors in the server-core tests. Any help I could get on this would be greatly appreciated. Some of the errors I get are as follows: Test set: org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests --- Tests run: 6, Failures: 3, Errors: 0, Skipped: 0, Time elapsed: 0.923 sec <<< FAILURE! - in org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests verifyTrustStoreLoadingSuccessfullyForValidEndpointWithNoCert(org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests) Time elapsed: 0.074 sec <<< FAILURE! java.lang.AssertionError: null at org.junit.Assert.fail(Assert.java:86) at org.junit.Assert.assertTrue(Assert.java:41) at org.junit.Assert.assertTrue(Assert.java:52) at org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests.verifyTrustStoreLoadingSuccessfullyForValidEndpointWithNoCert(FileTrustStoreSslSocketFactoryTests.java:77) verifyTrustStoreLoadingSuccessfullyWithCertAvailable2(org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests) Time elapsed: 0.141 sec <<< FAILURE! java.lang.AssertionError: null at org.junit.Assert.fail(Assert.java:86) at org.junit.Assert.assertTrue(Assert.java:41) at org.junit.Assert.assertTrue(Assert.java:52) at org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests.verifyTrustStoreLoadingSuccessfullyWithCertAvailable2(FileTrustStoreSslSocketFactoryTests.java:55) verifyTrustStoreLoadingSuccessfullyWihInsecureEndpoint(org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests) Time elapsed: 0.154 sec <<< FAILURE! java.lang.AssertionError: null at org.junit.Assert.fail(Assert.java:86) at org.junit.Assert.assertTrue(Assert.java:41) at org.junit.Assert.assertTrue(Assert.java:52) at org.jasig.cas.authentication.FileTrustStoreSslSocketFactoryTests.verifyTrustStoreLoadingSuccessfullyWihInsecureEndpoint(FileTrustStoreSslSocketFactoryTests.java:86) Thank you in advance, -- Ron Clark SysAdmin Armstrong State University Phone 912 3442921 -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas install
Not sure if this will help out or not, but here are some notes that I had to do
to get things working for us for v4 (upgrading from v3.5.2):
You can't use the maven 2 version that was already on the boxes to build
the new version of CAS; instead, need to download the 3.2.5 version
from http://maven.apache.org/download.cgi, extract it, and change the "maven"
symlink to point to the new install folder.
The first time I tried to run "mvn package" after doing this, I got the error:
Non-parseable POM
/root/.m2/repository/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom:
Expected root element 'project' but found 'html'
When I looked at the contents of that .pom file, it was an HTML document that
just said basically "HTTP 301 moved permanently."
I deleted the /root/.m2 folder, and after doing so, things started running.
Now I'm getting the error:
Failed to execute goal
com.mycila.maven-license-plugin:maven-license-plugin:1.9.0:check
(default) on project cas-server: Resource
/opt/cas-server-4.0.0/src/licensing/header.txt not found in file system
Found this: https://github.com/Jasig/cas/issues/745
Modified the pom.xml file, changed
${cs.dir}/src/licensing/header.txt
to
${licenseHeader}
After doing so, that error went away.
Now I'm getting the error:
Caused by: java.io.FileNotFoundException: Could not open ServletContext
resource [/WEB-INF/-servlet.xml]
I found this Jira issue about it: https://issues.jasig.org/browse/CAS-799
which basically says "we can't reproduce the issue" and someone
recommended to disable the tests since everything else tests fine:
mvn package install -Dmaven.test.skip=true
With that said, all is working fine now :)
>>> Ron Clark 10/13/15 9:21 AM >>>
Have been working on this for 4 days and it wants to continue to kick my rear
end. I can't sem to get cas 4.1.0 to compile. Any assistance would be
appreciated.
The error is as follows:
[FATAL] Non-resolvable parent POM for org.jasig.cas:cas-server:4.1.0: Could not
transfer artifact org.jasig.parent:jasig-parent:pom:40 from/to central
(https://repo.maven.apache.org/maven2): java.lang.RuntimeException: Unexpected
error: java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty and 'parent.relativePath' points at wrong local POM
@ line 22, column 13
Thanks in advance,
Ron
--
Ron Clark
SysAdmin
Armstrong State University
Phone 912 3442921
--
You are currently subscribed to cas-user@lists.jasig.org as:
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Access Denied, cas-management
Out of curiosity, did you enable the list of authorized users who can use the management app? https://wiki.jasig.org/display/CASUM/Configuring (Securing the Services Management Application) http://jasig.github.io/cas/4.1.x/installation/Installing-ServicesMgmt-Webapp.html (Securiing Access and Authorization) Chris >>> Patrick Coleman 10/26/15 10:21 AM >>> Hi, I’m new to CAS and have set up CAS using direction and samples from these pages. https://github.com/UniconLabs/simple-cas4-overlay-template When I bring up the cas server it asks for username/login and when entered says I’m successful! And see this in my catalina.out file. 2015-10-26 11:09:01,271 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 2015-10-26 11:09:01,283 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 2015-10-26 11:09:01,289 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2015-10-26 11:09:01,299 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2015-10-26 11:11:40,975 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,975 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,976 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,976 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,977 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,977 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:41,041 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - https://pat-test.chs.harvard.edu:8443/cas-management/login/cas] for user [casuser]> 2015-10-26 11:11:41,044 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://pat-test.chs.harvard.edu:8443/cas-management/login/cas ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Oct 26 11:11:41 EDT 2015 CLIENT IP ADDRESS: 10.0.1.143 SERVER IP ADDRESS: 207.188.245.154 = > 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - https://pat-test.chs.harvard.edu:8443/cas/serviceValidate?ticket=ST-1-GNe4MUdFGjz6jf7cNmI2-pat-test.chs.harvard.edu&service=https%3A%2F%2Fpat-test.chs.harvard.edu%3A8443%2Fcas-management%2Flogin%2Fcas> 2015-10-26 11:11:41,059 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,166 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2015-10-26 11:11:41,187 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - casuser Can anyone tell me what the problem is? Thanks. Pat. Patrick Coleman patcole...@me.com 301-651-9573 -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Access Denied, cas-management
No problem at all! Happy CAS-ing and hope you have a splendid Monday! Chris >>> Patrick Coleman 10/26/15 10:39 AM >>> Hi Chris (and Carl), Thanks for the fast response. That was the problem. I hadn’t authorized the user. Thank you, I’ve been banging my head off a wall for a few days trying to figure it out. Pat. On Oct 26, 2015, at 11:28 AM, Christopher Myers wrote: Out of curiosity, did you enable the list of authorized users who can use the management app? https://wiki.jasig.org/display/CASUM/Configuring (Securing the Services Management Application) http://jasig.github.io/cas/4.1.x/installation/Installing-ServicesMgmt-Webapp.html (Securiing Access and Authorization) Chris >>> Patrick Coleman 10/26/15 10:21 AM >>> Hi, I’m new to CAS and have set up CAS using direction and samples from these pages. https://github.com/UniconLabs/simple-cas4-overlay-template When I bring up the cas server it asks for username/login and when entered says I’m successful! And see this in my catalina.out file. 2015-10-26 11:09:01,271 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 2015-10-26 11:09:01,283 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 2015-10-26 11:09:01,289 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2015-10-26 11:09:01,299 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2015-10-26 11:11:40,975 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,975 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,976 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,976 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,977 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015-10-26 11:11:40,977 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - 2015[ST-1-GNe4MUdFGjz6jf7cNmI2-pat-test.chs.harvard.edu] for service [https://pat-test.chs.harvard.edu:8443/cas-management/login/cas] for user [casuser]> 2015-10-26 11:11:41,044 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://pat-test.chs.harvard.edu:8443/cas-management/login/cas ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Oct 26 11:11:41 EDT 2015 CLIENT IP ADDRESS: 10.0.1.143 SERVER IP ADDRESS: 207.188.245.154 = > 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,058 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - https://pat-test.chs.harvard.edu:8443/cas/serviceValidate?ticket=ST-1-GNe4MUdFGjz6jf7cNmI2-pat-test.chs.harvard.edu&service=https%3A%2F%2Fpat-test.chs.harvard.edu%3A8443%2Fcas-management%2Flogin%2Fcas> 2015-10-26 11:11:41,059 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - 2015-10-26 11:11:41,166 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2015-10-26 11:11:41,187 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - casuser Can anyone tell me what the problem is? Thanks. Pat. Patrick Coleman patcole...@me.com 301-651-9573 -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user Patrick Coleman patcole...@me.com 301-651-9573 -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Ldap Connection
It looks like you might have just copied the config from the examples without
modifying it to fit your environment; for example, the cas.properties file says
that your LDAP server is
ldap.url=ldap://localhost:389
and the deployerConfigContext file says that your base DN is
p:baseDn="ou=users,dc=example,dc=com"
with bind credentials of
ldap.authn.baseDn=ou=Users,dc=example,dc=com
ldap.authn.managerDN=cn=admin,dc=example,dc=com
ldap.authn.managerPassword=qwerty123
so you might want to review the settings and make sure that they've been
tweaked for your environment.
Chris
>>> Lutfi Oduncuoglu 10/29/15 8:34 AM >>>
Hello,
I have just started to use CAS and I want to authenticate users over my local
ldap server. I did the exact configuration at
http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html. I added
that parts to deployerconfig.xml and cas.properties. Tomcat running in ssl
mode, so I connect CAS via https.
However when I try to login CAS does not connect ldap. As you can see from
catalina.out
2015-10-29 15:31:20,466 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
2015-10-29 15:31:20,466 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
2015-10-29 15:31:20,467 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
2015-10-29 15:31:21,039 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-10-29 15:31:21,039 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] -
My xml files are below.
Thank you very much for help
pom.xml
http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd";>
org.jasig.cas
cas-server
4.0.0
4.0.0
cas-server-webapp
war
Jasig CAS Web Application
org.jasig.cas
cas-server-webapp-support
${project.version}
compile
org.springframework
spring-expression
${spring.version}
runtime
javax.servlet
jstl
1.1.2
jar
runtime
taglibs
standard
1.1.2
jar
runtime
org.jasig.cas
cas-server-support-ldap
4.0.0
org.apache.maven.plugins
maven-war-plugin
cas
${basedir}/src/main/webapp/WEB-INF
true
WEB-INF
**/web.xml
${project.parent.basedir}
deployerConfigContext.xml
http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:c="http://www.springframework.org/schema/c";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd";>
ldap://localhost:389";
p:connectTimeout="3000"
p:useStartTLS="false"/>
and cas.properties file
#
# Licensed to Jasig under one or more contributor license
# agreements. See the NOTICE file distributed with this work
# for additional information regarding copyright ownership.
# Jasig licenses this file to you under the Apache License,
# Version 2.0 (the "License"); you may not use this file
# except in compliance with the License. You may obtain a
# copy of the License at the following location:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
#
Re: [cas-user] need some design inputs
Hi Prasad,
You may be able to do an alternate CAS login page that you could set up basic
auth on, and then pass the credentials (along with the service name) to the CAS
login page for authentication? You could start with something like the
following, and then modify it to meet your needs. In this case, you could just
post a service, username, and password parameters to the page, which would then
to the authentication to CAS and redirect to the service.
You would store this file on your CAS server, probably in Tomcat's ROOT webapp
folder. (This has been tested working for us with CAS 3.4.x, 3.5.x, and 4.0.1,
but the usual "use at your own risk, your mileage may vary" disclaimer applies.)
<%@page contentType="text/html; charset=windows-1252" isELIgnored="false"
import="java.net.URL"
import="java.net.HttpURLConnection"
import="java.io.InputStream"
import="java.io.BufferedReader"
import="java.io.InputStreamReader"
%>
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", -1); //prevents caching at the proxy server
String testURL = "https://"; + String.valueOf(request.getServerName()) +
"/cas/login";
String myService = request.getParameter("service");
String username = request.getParameter("username");
String password = request.getParameter("password");
if ((myService != null) && (myService != "")) {
testURL = testURL + "?service=" + myService;
}
String myLT = "";
String myExecution = "";
URL myUrl = new URL(testURL);
HttpURLConnection myUrlConnection = (HttpURLConnection)myUrl.openConnection();
myUrlConnection.setDoInput(true);
myUrlConnection.setDoOutput(false);
String myCookie = myUrlConnection.getHeaderField("Set-Cookie");
myUrlConnection = (HttpURLConnection)myUrl.openConnection();
if (myCookie != null) {
myUrlConnection.setRequestProperty("Cookie", myCookie);
}
myUrlConnection.setDoInput(true);
myUrlConnection.setDoOutput(false);
response.addHeader("Set-Cookie", myCookie);
response.setContentType("text/html");
if (null != (myCookie = myUrlConnection.getHeaderField("Set-Cookie"))) {
response.addHeader("Set-Cookie", myCookie);
}
InputStream webContent = (InputStream)myUrlConnection.getInputStream();
BufferedReader pageStream = new BufferedReader (new InputStreamReader
(webContent));
String currentLine = "";
String debugOutput = "";
if(myUrlConnection.getResponseCode() == 200){ //Makes sure that the page
pulled correctly and didn't give an error
while ((currentLine = pageStream.readLine()) != null) {
if (currentLine.toLowerCase().indexOf("name=\"lt\"") > -1) {
myLT = currentLine.substring(currentLine.indexOf("value=") +
7,currentLine.length() - 4);
} else if (currentLine.toLowerCase().indexOf("name=\"execution\"") > -1) {
myExecution = currentLine.substring(currentLine.indexOf("value=") +
7,currentLine.length() - 4);
}
}
}
pageStream.close();
%>
Loading...
>>> Mahantesh Prasad Katti 11/12/15 12:37 AM >>>
Hi All,
I am working on an application that runs on glassfish. There are some web
services exposed on this application. These are accessed using basic HTTP
authentication by external applications. Recently this app [that runs on
glassfish] was casified. This meant that the external applications cannot
access the application by providing the http basic auth as they used to do
earlier. [They do not want to get CAS tokens and supply them while invoking
the services].
The requirement is to retain previous auth model for external applications
while having the CASification in place. We are using JSR-196 for the
CASification. I wanted to know if this is really possible. JEE only allows us
to have one active realm at any point in time. Is it possible to have a filter
layer before JASPIC which based on the user agent header will determine if the
request needs to be authenticated with http basic method? If so it will fire a
request to CAS and get the token and redirect to the service being inviked.
I can provide more details in case I was not able to explain the scenario
properly.
Regards
Prasad
--
You are currently subscribed to cas-user@lists.jasig.org as:
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
