Re: [cas-user] Troubles with password policy: all successful authentications get successWithWarnings state
Le 23/03/2015 17:15, Misagh Moayyed a écrit : This is already fixed in master. The problem is here: https://github.com/Jasig/cas/blob/4.0.x/cas-server-core/src/main/java/org/jasig/cas/web/flow/AuthenticationViaFormAction.java The "hasWarningMessages", once set to true, will always remain true. Your workaround work now would be to download the above file into your overlay and reset the flag to false before each attempt. I'd rather revert this commit, in this case: https://github.com/Jasig/cas/commit/74ac80408dc6ef4909b7cb6964b52db67ebe81bf -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Troubles with password policy: all successful authentications get successWithWarnings state
Hello list.
We are using cas server 4.0.0 and OpenLDAP, with password policy support
enabled, limited to password quality settings sofar.
This morning we activated password expiration, by setting explicit
values for pwdMaxAge and pwdExpireWarning attributes. Everything was
working as expected during our tests, but we quickly ran into problems
in production: whereas users whose password is about to expire are
correctly redirected to a warning page with correct explanations, all
other users are forcefuly redirected to the same warning page, without
any explanations...
Actually, it turns out than as soon as at least one user gets a
"successWithWarnings" state upon authentication, all others users also
get this state, and get redirected to the "casLoginMessageView" View,
even if actual message list is empty.
The problem is reproductible with this scenario:
- userA has a valid password, and is not subject to expiration warnings
- userB has a valid password, and is subject to expiration warnings
Resulting in the following events sequence:
a) userA logs successfully: he is redirected to target application
b) userB logs successfully: he is redirected to CAS server warning page,
with a correct message
c) userA logs successfully: he is redirected to CAS server warning page,
without any message
Restarting the tomcat server is enough to reset the situation.
I initially supposed the issue was in the DefaultAccountStateHandler
class, and was related to undefined vs empty list of warning messages.
However, enabling debug log level doesn't show any significative
difference between attmpt (a) and (c):
Attempt (a):
DEBUG [...DefaultAccountStateHandler] - Account state not defined
DEBUG [...DefaultAccountStateHandler] - Handling null
DEBUG [...DefaultAccountStateHandler] - No LDAP error mapping defined
for null
DEBUG [...DefaultAccountStateHandler] - Account state warning not defined
Attempt (c):
DEBUG [...DefaultAccountStateHandler] - Account state not defined
DEBUG [...DefaultAccountStateHandler] - Handling null
DEBUG [...DefaultAccountStateHandler] - No LDAP error mapping defined
for null
DEBUG [...DefaultAccountStateHandler] - Account state warning not defined
.ie, in both case, handleWarning() method is called with a null warning
parameter, which is consistant with ldaptive documentation:
AccountState.getWarning() returns null if no warnings exist.
I guess the issue is rather located in AuthenticationViaFormAction
class, somehwere in this loop:
for (final Map.Entry entry :
tgt.getAuthentication().getSuccesses().entrySet()) {
for (final Message message : entry.getValue().getWarnings()) {
addWarningToContext(messageContext, message);
}
}
if (this.hasWarningMessages) {
return newEvent(SUCCESS_WITH_WARNINGS);
}
return newEvent(SUCCESS);
I guess something is pushing an empty of undefined message in the
context, which is enough to set hasWarningMessages flag.
Should I open a ticket ?
--
Guillaume Rousse
INRIA, Direction des systèmes d'information
Domaine de Voluceau
Rocquencourt - BP 105
78153 Le Chesnay
Tel: 01 39 63 58 31
smime.p7s
Description: Signature cryptographique S/MIME
Re: [cas-user] mod_auth_cas and Apache httpd 2.4
Le 23/07/2014 23:39, Tom Poage a écrit : Greetings, Apache httpd 2.4 has been out some two years, and some recent large(ish) market share Linux releases are bundling this server (e.g. RHEL 7, CentOS 7). Are there plans to update mod_auth_cas to support httpd 2.4? Time frame? I'm using latest mod_auth_cas release (1.0.9.1) with apache 2.4 without any problem, and the changelog from the debian package also mentions 'rebuild for apache 2.4': http://metadata.ftp-master.debian.org/changelogs//main/liba/libapache2-mod-auth-cas/libapache2-mod-auth-cas_1.0.9.1-4_changelog I don't really understand those supposed incompatibility issues. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Rebuilding a single cas-server-support-anything component
Le 21/07/2014 15:26, daniel.char...@unice.fr a écrit :
Hi Guillaume,
I have do :
cd /cas-server-4.0.0/
vi pom.xml
replace
${cs.dir}/src/licensing/header.txt
by
${licenseHeader}
mvn package install worked for me
Excellent, thanks :)
--
Guillaume Rousse
INRIA, Direction des systèmes d'information
Domaine de Voluceau
Rocquencourt - BP 105
78153 Le Chesnay
Tel: 01 39 63 58 31
smime.p7s
Description: Signature cryptographique S/MIME
Re: [cas-user] Rebuilding a single cas-server-support-anything component
Le 18/07/2014 10:39, Misagh Moayyed a écrit : Are you building from master? If so, try pulling once. I just ran the build and all passes for me. No, from cas-server 4.0 release, as I'm trying to minimize the changes. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Contributing documentation fixes
Le 18/07/2014 09:43, Misagh Moayyed a écrit : Appreciate you taking initiative. The docs live here: https://github.com/Jasig/cas/tree/gh-pages You'll find a 4.0.0 directory (for th4 4.0.0 release) in there as well as development directory which hosts the next version of the docs for the next release. Pull Request pending :) -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Rebuilding a single cas-server-support-anything component
Hello. I'm trying to build cas 4.0 ldap support component (cas-server-support-ldap), to add the patch from https://github.com/Jasig/cas/pull/422. However, I can't manage to rebuild this component properly using maven. "mvn package" fails because of the license check, configured in the top-level pom.xml: [ERROR] Failed to execute goal com.mycila.maven-license-plugin:maven-license-plugin:1.9.0:check (default) on project cas-server-support-ldap: Resource /home/guillaume/work/inria/sesi/devel/packages/cas-server/cas-server-4.0.0/src/licensing/header.txt not found in file system, classpath or URL: no protocol: /home/guillaume/work/inria/sesi/devel/packages/cas-server/cas-server-4.0.0/src/licensing/header.txt -> [Help 1] Using --fail-never option allow to ignore this error safely, but the expected jar file is not created anyway. Is there any magic command-line invocation I'm missing, or should I switch to a simpler tool such as ant for my purpose ? -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Contributing documentation fixes
Hello. I've already spotted several issues in CAS 4.0 documentation that ought to be fixed or complemented: * invalid example in "Multi-factor Authentication (MFA)" section of "Configuring-Authentication-Components" page * invalid example in "LPPE configuration" section of "LDAP-Authentication" page * missing response handlers configuration details in "LPPE configuration" section of "LDAP-Authentication" page Those errors have also been signaled in past discussions, such as https://groups.google.com/forum/#!topic/jasig-cas-user/yEbuLn8wKZ8, but nothing has been changed sofar. I'd happily contribute patches, but I couldn't found documentation sources anywhere on github. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Looking for a tutorial on using CAS
Le 24/06/2014 17:36, George Brink a écrit : Hi all, Right now I am making a web site which would use CAS to recognize users.The site is based on a set of Perl scripts. I am looking for a comprehensive tutorial on how I am supposed to use CAS. I see a lot of documentation (and it is discussed here a lot) on how to create a CAS server in Java, but I need to _use_ CAS... So far I found AuthCAS module on CPAN, but I am not sure how to use it. All examples ends on initial authentication, but what to do next? How can I make sure that the user who is looking on other pages of my site did pass the CAS authentication on the "welcome" page of the web site? That's a generic authentication issue, and is not specific to CAS uage. Ideally, I would like to have some "validateUser" function on each every page of my site, but as far as I understand, CAS do not have such ability? Once 'ticket' is validated it is not usable anymore? Unless you have a strong reason to implement authentication in your application, just delegate it to the web server, and use mod_auth_cas. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Authentication manager without principal resolver
Le 18/06/2014 22:46, Misagh Moayyed a écrit : http://jasig.github.io/cas/development/installation/Configuring-Authentica tion-Components.html That's precisely the page I'm refering to from the beginning, and need to be corrected. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Authentication manager without principal resolver
Le 17/06/2014 19:03, Lapanja, Bob@POST a écrit : This is what I used for my authenticationHandler that did not require a PrincipalResolver: Thanks, it worked. Could the documentation get corrected ? I tried to find the documentation sources in github to submit a patch myself, I couldn't succeed. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Authentication manager without principal resolver
Hello.
From my understanding of documentation ("PrincipalResolver Versus
AuthenticationHandler" in [1]), you only need to use a full-blown
principal resolver if the builtin facilities from your authentication
handler isn't enough. As I'm using LDAP as single authentication
handler, and all my required attributes are stored there, it should be
enough.
However, any attempt to define an authentication handler without such
resolver mapping fails...
The following construct fails with "Could not instantiate bean class
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager]: No
default constructor found" error message:
The following (also used in [1] example about multi-factor
configuration) also fails with "entry should contains a value" error
message:
So, what's the expected syntax to use here ?
[1]
http://jasig.github.io/cas/4.0.0/installation/Configuring-Authentication-Components.html
--
Guillaume Rousse
INRIA, Direction des systèmes d'information
Domaine de Voluceau
Rocquencourt - BP 105
78153 Le Chesnay
Tel: 01 39 63 58 31
smime.p7s
Description: Signature cryptographique S/MIME
[cas-user] Troubles understanding allowed syntax for ticket expiration policies
Hello list.
I've a bit of trouble understanding what is the allowed syntax for the
various available ticket expiration policies, with cas server 3.5.2.
I understand than the original syntax is the one used in the first
example on documentation
(https://wiki.jasig.org/display/casum/ticket+expiration+policy), meaning
passing all parameters with an explicit index to the constructor, with
time expressed in milliseconds:
Now, it seems recent spring versions provided additional syntactic
sugar, based on argument pre-processing, such as:
or
I understand than 'p' prefix refers to passing argument through class
setters ('p' for property) whereas 'c' prefix refers to passing argument
to the constructor ('c' for constructor). I can eventuall refers to the
API documentation to understand than only some of the classes accept
the first kind of syntax:
HardTimeoutExpirationPolicy doesn't have any setter
ThrottledUseAndTimeoutExpirationPolicy does
However, I don't understand which classes may accept time values
expressed with another value as milliseconds, using constants defined in
util schema:
id="serviceTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
c:numberOfUses="1"
c:timeToKill="${st.timeToKillInSeconds:10}"
c:timeUnit-ref="SECONDS"
/>
This works
This doesn't work.
I've seen the long thread on the subject here:
http://jasig.275507.n4.nabble.com/ExpirationPolicy-Time-Unit-Consistency-td4469136.html
But there is no clear conclusion.
I also read this ticket:
https://issues.jasig.org/browse/CAS-1104
Which seems to imply than basically, only the default policies (meaning
TicketGrantingTicketExpirationPolicy and
MultiTimeUseOrTimeoutExpirationPolicy only) support arbitrary time
units, all other requiring milliseconds, whatever the exact syntax used.
Am I correct ?
--
Guillaume Rousse
INRIA, Direction des systèmes d'information
Domaine de Voluceau
Rocquencourt - BP 105
78153 Le Chesnay
Tel: 01 39 63 58 31
smime.p7s
Description: Signature cryptographique S/MIME
