RE: [cas-user] CAS 4.0 and 4.1 dependency to JRadius
Hi Misagh, Thank you very much for updating it in 4.1. We will switch to 4.1 in a few months and until then we'll keep using our local JARs. Best Regards, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 22. September 2015 5:17 odp. To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4.0 and 4.1 dependency to JRadius 4.1 is already updated. We might be able to release a 4.0.6 that uses jitpack, but since that would have CAS switch to 1.1.5 of jradius, it's going to require a lot of changes to the radius module to work with 1.1.5. So I'd recommend you try with 4.1 first. That should fix the dependency problem. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Tuesday, September 22, 2015 8:12 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS 4.0 and 4.1 dependency to JRadius Hello CAS community! We have recently encountered an issue in CAS 4.0 and 4.1 when building it locally. The JRadius plugin depends on JRadius 1.0.0, which should be placed in the following repository, according to the POM file: http://coova-dev.s3.amazonaws.com/mvn Unfortunately it seems that the repository is not available anymore and we are not able to find any other public repository with version 1.0.0. Although we have the JRadius libraries cached locally, I'd like to ask whether you plan to update the dependency in 4.0 and 4.1 as you did it for 4.2 (I see a dependency to JRadius 1.1.5 hosted in the JitPack repository). I'm aware of this bug report: https://github.com/coova/jradius/issues/1 But it is not clear if they plan to publish older versions into JitPack too. Thank you! Best Regards, Jarda -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net<mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jka...@idc.com<mailto:jka...@idc.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 4.0 and 4.1 dependency to JRadius
Hello CAS community! We have recently encountered an issue in CAS 4.0 and 4.1 when building it locally. The JRadius plugin depends on JRadius 1.0.0, which should be placed in the following repository, according to the POM file: http://coova-dev.s3.amazonaws.com/mvn Unfortunately it seems that the repository is not available anymore and we are not able to find any other public repository with version 1.0.0. Although we have the JRadius libraries cached locally, I'd like to ask whether you plan to update the dependency in 4.0 and 4.1 as you did it for 4.2 (I see a dependency to JRadius 1.1.5 hosted in the JitPack repository). I'm aware of this bug report: https://github.com/coova/jradius/issues/1 But it is not clear if they plan to publish older versions into JitPack too. Thank you! Best Regards, Jarda -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] SAML 2 metadata for CAS SP?
Hi Tom! I can recommend you the PAC4J library [1]. We've been using it for about 1 year without any major problems. It's not limited to Google Apps and some others; we are using it with Shibboleth, MS ADFS and another proprietary IdP server. There is demo app that integrates PAC4J inside CAS [2]. [1] http://www.pac4j.org/ [2] https://github.com/leleuj/cas-pac4j-oauth-demo Best Regards, Jarda -Original Message- From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 27. August 2015 9:55 odp. To: cas-user@lists.jasig.org Subject: RE: [cas-user] SAML 2 metadata for CAS SP? The CAS SAML implementation can work with non-CAS SAML implementations, namely Google Apps, JICS portal and few others. It depends, but it's safe to say that SAML2 support in CAS specifically is very limited. It may receive some attention in future versions. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Remember Me and the TTL for TGT cache
Hello everyone! I am using CAS 4.0.0 and I have recently implemented the Remember-Me feature, as described here: http://jasig.github.io/cas/development/installation/Configuring-LongTerm-Authentication.html However, this seems not to work correctly without an adjustment of the time-to-live value of the TGT cache: bean id=ticketGrantingTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean parent=abstractTicketCache p:cacheName=cas_tgt p:timeToIdle=0 p:timeToLive=1209601 p:cacheEventListeners-ref=ticketRMIAsynchronousCacheReplicator / Here, I have increased the TTL value to fully cover the lifetime of long-term TGTs, as defined in ticketExpirationPolicies.xml. Can someone tell me if this is the right approach? The above HTML page does not mention anything about the caches, that's why initially omitted this step. If this is the way to go, could the above instructions be updated to mention cache TTL adjustments, please? At the moment, this change seems to fix the issue (no real-world testing yet), although I am concerned about possible performance impact. The new TTL is about 42 times longer than the old one, so the cache size might grow accordingly. On the other hand, only a small part of TGTs will be long-term and EHCache caches should automatically evict old tickets. Thank you! Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] ERROR net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator
Hi Bryan! I remember I've already seen this issue. I am using CAS 4.0 with EH Cache. I found the solution here: https://www.mail-archive.com/cas-user@lists.jasig.org/msg12970.html Please check the definition of bean cacheManager in ticketRegistry.xml. You should have set property shared to true like in this example: bean id=cacheManager class=org.springframework.cache.ehcache.EhCacheManagerFactoryBean p:configLocation=classpath:ehcache-replicated.xml p:shared=true p:cacheManagerName=ticketRegistryCacheManager / !-- Shared must be set to true! by default it is false. See https://www.mail-archive.com/cas-user@lists.jasig.org/msg12970.html -- At least this is what helped in my case. Best Regards, Jarda From: Bryan Wooten [mailto:bryan.woo...@utah.edu] Sent: 17. February 2015 6:21 odp. To: cas-user@lists.jasig.org Subject: [cas-user] ERROR net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator My cas.log is filled with this error: (CAS 3.5.2) 2015-02-17 07:53:18,138 ERROR [net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator] - Exception on flushing of replication queue: null. Continuing... java.lang.NullPointerException at net.sf.ehcache.distribution.RMISynchronousCacheReplicator.listRemoteCachePeers(RMISynchronousCacheReplicator.java:335) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator.writeReplicationQueue(RMIAsynchronousCacheReplicator.java:312) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator.replicationThreadMain(RMIAsynchronousCacheReplicator.java:127) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator.access$000(RMIAsynchronousCacheReplicator.java:58) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator$ReplicationThread.run(RMIAsynchronousCacheReplicator.java:389) I found this: https://issues.jasig.org/browse/CAS-1174 But I am not using ClearPass. Bryan Wooten UIT-Common Infrastructure Systems -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jka...@idc.commailto:jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] ERROR net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator
Hi again Bryan! I would try adding this to your Log4J config: logger name=net.sf.ehcache level value=DEBUG / /logger And you should see if the data is being exchanged between your nodes. This could be a good start. If you can't see anything interesting, please provide us your EH Cache configuration, as Ben suggests. Best Regards, Jarda From: Bryan Wooten [mailto:bryan.woo...@utah.edu] Sent: 18. February 2015 12:19 dop. To: cas-user@lists.jasig.org Cc: mmoay...@unicon.net Subject: Re: [cas-user] ERROR net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator All, this issue is killing me. I was supposed to go live with this version tomorrow morning but this issue forced me to cancel. The symptom I am seeing is that ST's can't be validated. I believe this because tickets are not being replicated across my 2 CAS servers. The back channel ST validation is failing because of this. I checked and re-checked my ehcache-replication.xml configuration. Both servers are listening on port 40001. I am running on RHEL and have verified that there are no firewalls in place. I can telnet from each server to the other on port 40001. I have set the remote port in ehcache-replication.xml to 40002 yet neither server seems to be listening on this port. Does anyone have suggestions for log4j settings I should set to get additional debug info. I did note that my pom.xml has a dependency for ehcache, but I think that is built into the 3.5.2 overlay and I may not need that dependency. Ehcache has work well on our 3.4.12 CAS for many years, I am now stumped. Part of me says Dump ehcache and go to Hazelcast... JPA ticket registry is out of the question. Cheers, Bryan From: Bryan Wooten bryan.woo...@utah.edumailto:bryan.woo...@utah.edu Reply-To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Date: Tuesday, February 17, 2015 at 10:21 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] ERROR net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator My cas.log is filled with this error: (CAS 3.5.2) 2015-02-17 07:53:18,138 ERROR [net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator] - Exception on flushing of replication queue: null. Continuing... java.lang.NullPointerException at net.sf.ehcache.distribution.RMISynchronousCacheReplicator.listRemoteCachePeers(RMISynchronousCacheReplicator.java:335) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator.writeReplicationQueue(RMIAsynchronousCacheReplicator.java:312) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator.replicationThreadMain(RMIAsynchronousCacheReplicator.java:127) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator.access$000(RMIAsynchronousCacheReplicator.java:58) at net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator$ReplicationThread.run(RMIAsynchronousCacheReplicator.java:389) I found this: https://issues.jasig.org/browse/CAS-1174 But I am not using ClearPass. Bryan Wooten UIT-Common Infrastructure Systems -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: bryan.woo...@utah.edumailto:bryan.woo...@utah.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jka...@idc.commailto:jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] cannot build cas
Hello Andy! This looks like a problem with your Maven; I cannot see any compilation/build problem related to CAS. Have you tried building another Maven project on your system? If you have, did you succeed? What version of Maven do you use? And what Java version? (Type mvn -version) I have this: Apache Maven 3.1.1 (0728685237757ffbf44136acec0402957f723d9a; 2013-09-17 17:22:22+0200) Maven home: C:\SW\Maven Java version: 1.7.0_55, vendor: Oracle Corporation Java home: C:\Dev\Java\jdk1.7.0_55\jre Default locale: en_US, platform encoding: Cp1252 OS name: windows 7, version: 6.1, arch: amd64, family: windows … and I can build CAS 4.0 without any problems. Have you tried cleaning your local Maven repository? Best regards, Jarda From: Andy Turner [mailto:andy.tur...@mail.ic.edu] Sent: 17. December 2014 3:19 odp. To: cas-user@lists.jasig.org Subject: [cas-user] cannot build cas After 2 days, i can't proceed. Some error about maven plugin 2.6 missing jar, i don't know how to fix it. Cas won't build when i get to mvn clean package. Here's the output (all my buffer will hold). Any ideas? [INFO] --- maven-enforcer-plugin:1.3.1:enforce (enforce-maven) @ cas-server --- [INFO] [INFO] --- maven-enforcer-plugin:1.3.1:enforce (enforce) @ cas-server --- [INFO] [INFO] findbugs-maven-plugin:3.0.0:check (findbugs-check) :findbugs @ cas-server [INFO] [INFO] --- findbugs-maven-plugin:3.0.0:findbugs (findbugs) @ cas-server --- [INFO] [INFO] findbugs-maven-plugin:3.0.0:check (findbugs-check) :findbugs @ cas-server [INFO] [INFO] --- findbugs-maven-plugin:3.0.0:check (findbugs-check) @ cas-server --- [INFO] [INFO] --- maven-checkstyle-plugin:2.13:checkstyle (checkstyle) @ cas-server --- [INFO] [INFO] --- aspectj-maven-plugin:1.7:compile (default) @ cas-server --- [WARNING] Not executing aspectJ compiler as the project is not a Java classpath-capable package [INFO] [INFO] --- maven-license-plugin:1.9.0:check (default) @ cas-server --- [INFO] Checking licenses... [WARNING] Unknown file extension: c:\cas\local-cas-4\cas-server-support-ldap\src\test\resources\ldapServerTrustStore [INFO] [INFO] --- maven-site-plugin:3.1.r1174614:attach-descriptor (attach-descriptor) @ cas-server --- [INFO] [INFO] [INFO] Building Apereo CAS Core 4.1.0-SNAPSHOT [INFO] [INFO] [INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ cas-server-core --- [INFO] [INFO] --- maven-enforcer-plugin:1.3.1:enforce (enforce-maven) @ cas-server-core --- [INFO] [INFO] --- maven-enforcer-plugin:1.3.1:enforce (enforce) @ cas-server-core --- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ cas-server-core --- [WARNING] Error injecting: org.apache.maven.shared.filtering.DefaultMavenResourcesFiltering java.lang.NoClassDefFoundError: Lorg/sonatype/plexus/build/incremental/BuildContext; at java.lang.Class.getDeclaredFields0(Native Method) at java.lang.Class.privateGetDeclaredFields(Class.java:2570) at java.lang.Class.getDeclaredFields(Class.java:1903) at com.google.inject.spi.InjectionPoint.getInjectionPoints(InjectionPoint.java:661) at com.google.inject.spi.InjectionPoint.forInstanceMethodsAndFields(InjectionPoint.java:366) at com.google.inject.internal.ConstructorBindingImpl.getInternalDependencies(ConstructorBindingImpl.java:165) at com.google.inject.internal.InjectorImpl.getInternalDependencies(InjectorImpl.java:609) at com.google.inject.internal.InjectorImpl.cleanup(InjectorImpl.java:565) at com.google.inject.internal.InjectorImpl.initializeJitBinding(InjectorImpl.java:551) at com.google.inject.internal.InjectorImpl.createJustInTimeBinding(InjectorImpl.java:865) at com.google.inject.internal.InjectorImpl.createJustInTimeBindingRecursive(InjectorImpl.java:790) at com.google.inject.internal.InjectorImpl.getJustInTimeBinding(InjectorImpl.java:278) at com.google.inject.internal.InjectorImpl.getBindingOrThrow(InjectorImpl.java:210) at com.google.inject.internal.InjectorImpl.getProviderOrThrow(InjectorImpl.java:986) at com.google.inject.internal.InjectorImpl.getProvider(InjectorImpl.java:1019) at com.google.inject.internal.InjectorImpl.getProvider(InjectorImpl.java:982) at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1032) at org.eclipse.sisu.space.AbstractDeferredClass.get(AbstractDeferredClass.java:48) at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:86) at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:55) at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:70) at
[cas-user] CAS 4.0: Users logged out randomly after some time
Hello everybody! I have CAS 4.0 deployed in a cluster, using EH Cache distributed ticket registry. A problem has recently appeared: Our users are sometimes logged out sooner than they should be. We have TGT validity set to 8 hours. Despite that, users are sometimes logged out much sooner, e.g. after 1 hour. Sometimes, however, they can stay logged in for whole 8 hours. It's quite hard to reproduce the problem, I must repeatedly click in the application and check if I'm logged out or not. Has anybody encountered this issue? I have switched debug logging on for some packages and the logs show that TGT tickets are deleted when the problem appears. Or, better said, an attempt is made to delete them but they cannot be found when they should be deleted. destroyTicketGrantingTicket() in the central authentication service: Removing ticket [TGT-1-9JI9h0cgdBi6jbVJhXEgb5ieByDvb6PRmiAKL7YEDpXYuyx7tw-idc-cas-4] from registry. TicketGrantingTicket [TGT-1-9JI9h0cgdBi6jbVJhXEgb5ieByDvb6PRmiAKL7YEDpXYuyx7tw-idc-cas-4] cannot be found in the ticket registry. Audit trail record BEGIN = WHO: audit:unknown WHAT: TGT-1-9JI9h0cgdBi6jbVJhXEgb5ieByDvb6PRmiAKL7YEDpXYuyx7tw-idc-cas-4 ACTION: TICKET_GRANTING_TICKET_DESTROYED APPLICATION: CAS WHEN: Mon Dec 08 05:16:29 EST 2014 CLIENT IP ADDRESS: 10.9.1.207 SERVER IP ADDRESS: 10.1.4.23 = The URL accessed by the application is: 10.9.1.207 - - [08/Dec/2014:05:16:29 -0500] GET /login?site=idcservice=http%3A%2F%2Fdev.idc.com%2Fj_spring_cas_security_check HTTP/1.1 200 17457 It returns HTTP code 200 (sending the login form back) instead of 302 = redirect to the application. I have tried both with HardTimeoutExpirationPolicy and TicketGrantingTicketExpirationPolicy, which is the default TGT policy in CAS 4. It makes no difference. Do you have an idea what might be the cause of this faulty behavior? Is there something I should check? I have no idea why something in CAS tries to delete the TGT when it should live for next X hours... And why the tickets seem not to exist when they should. Any feedback will be highly appreciated! Best Regards, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com Join IDC beginning October 29, 2014 through January 29, 2015 for: IDC's 2015 Predictions and IDC FutureScapes Web Conference Serieswww.idc.com/predictions2015 Accelerating Innovation on the 3rd Platform Register Nowhttp://event.on24.com/r.htm?e=861361s=1k=223AFC21785863D975C9D80CEE2A97C2 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue
Hi Dave! We have the same configuration for all nodes. The cleaner is scheduled to run 20 seconds after the application starts and then periodically once per hour (the original value is greater than that: 5000 s). Because we don’t start the nodes at the same time, the cleaner also runs at different time on different nodes. We don’t do any locking or anything like that. I think that the cleaner simply removes some tickets locally and then the deletions get replicated to other nodes, so they are in fact deleted on those other nodes too. But I don’t know the implementation, so I may be wrong on this. We introduced the cleaner quite recently, so unfortunately I have very little real experience it. Should I found something more concerning the cleaner, I will post it to this list. Best Regards, Jarda From: David A. Kovacic [mailto:d...@case.edu] Sent: 20. November 2014 4:56 odp. To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue Hi Jaroslav, Well, given the error I knew it had to be something like that - I just couldn't find where logoutManager was supposed to be defined. Thanks for pointing me in the correct direction. :-) A couple last questions on your setup: Are you running the ticket cleaner on multiple nodes of your environment simultaneously, or just one? If you run multiple simultaneous cleaners are you doing any kind of locking on the cache to prevent them from stepping on each other, or has it never been a problem for you? Thanks, Dave Join IDC beginning October 29, 2014 through January 29, 2015 for: IDC's 2015 Predictions and IDC FutureScapes Web Conference Serieswww.idc.com/predictions2015 Accelerating Innovation on the 3rd Platform Register Nowhttp://event.on24.com/r.htm?e=861361s=1k=223AFC21785863D975C9D80CEE2A97C2 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Multiple environments with different bean properties values
Hi Michael! We use Maven profiles for that. You have to modify the project's pom.xml little bit. Introduce as many profiles as you want (development, integration, ...) and create a separate directory for each of them. Then use a build/resources/resource element in your pom.xml, which will point to the respective directory. The path to the directory can contain something like ${my_profile_name}. You set its value in your profile definition. And the directory can contain properties files tailored just for the respective profile. And, inside XML files, you just type something like ${my_property}, where my_property is defined in a properties file inside a profile-specific directory. Then, to build the project, just specify the profile name: mvn install -Pdevelopment I think you can find some examples on the Maven site. Hope this helps! Jarda -Original Message- From: Michael Wechner [mailto:michael.wech...@wyona.com] Sent: 20. November 2014 8:45 dop. To: cas-user@lists.jasig.org Subject: [cas-user] Multiple environments with different bean properties values Hi We are using CAS within different environments, like for example - development - integration - staging - production and inside deployerConfigContext.xml we have some custom bean properties, but depending on the environment have different values, e.g. !-- Test environment -- property name=baseUrl value=https://test.wyona.com// !-- Production environment -- property name=baseUrl value=https://www.wyona.com// Every time we make changes on this file, we need to remind ourselves that we have to comment or uncomment the property with the right value depending on the environment where we deploy the file. Which of course leads to errors ;-) It would be nice to have some kind of environment/profile functionality within CAS, like for example property name=baseUrl value=https://test.wyona.com/; env=test/ property name=baseUrl value=https://test.wyona.com/; env=prod/ Is this possible somehow? Or how do others solve this? Thanks Michael -- You are currently subscribed to cas-user@lists.jasig.org as: jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user Join IDC beginning October 29, 2014 through January 29, 2015 for: IDC's 2015 Predictions and IDC FutureScapes Web Conference Serieswww.idc.com/predictions2015 Accelerating Innovation on the 3rd Platform Register Nowhttp://event.on24.com/r.htm?e=861361s=1k=223AFC21785863D975C9D80CEE2A97C2 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue
Hi David! It seems you are missing a reference to the logout manager. Here is my configuration: bean id=ticketRegistryCleaner class=org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner p:ticketRegistry-ref=ticketRegistry p:logoutManager-ref=logoutManager / bean id=jobDetailTicketRegistryCleaner class=org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean p:targetObject-ref=ticketRegistryCleaner p:targetMethod=clean / bean id=triggerJobDetailTicketRegistryCleaner class=org.springframework.scheduling.quartz.SimpleTriggerBean p:jobDetail-ref=jobDetailTicketRegistryCleaner p:startDelay=2 p:repeatInterval=360 / Then just check you have the logoutManager bean defined in applicationContext.xml. It should be there by default. Best Regards, Jarda From: David A. Kovacic [mailto:d...@case.edu] Sent: 20. November 2014 2:42 odp. To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue Hi Jaroslav, Could you post your entire ticket registry cleaner definition? I tried setting up a cleaner job patterned after the default ticket registry cleaner but I am getting Error creating bean with name 'ticketRegistryCleaner' defined in ServletContext resource [/WEB-INF/spring-configuration/ticketRegistry.xml]: Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanInitializationException: Bean state is invalid: logoutManager - may not be null exceptions on startup. This is what the ticket cleaner definition looks like: !-- TICKET REGISTRY CLEANER -- bean id=ticketRegistryCleaner class=org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner p:ticketRegistry-ref=ticketRegistry / bean id=jobDetailTicketRegistryCleaner class=org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean p:targetObject-ref=ticketRegistryCleaner p:targetMethod=clean / bean id=triggerJobDetailTicketRegistryCleaner class=org.springframework.scheduling.quartz.SimpleTriggerBean p:jobDetail-ref=jobDetailTicketRegistryCleaner p:startDelay=2 p:repeatInterval=360 / On 11/18/14 6:40 AM, Jaroslav Kacer wrote: Hi David! We have CAS 4.0.0, also with Eh-Cache-based ticket registry, on a 4-node cluster. Our configuration of EhCache is almost identical to yours. Two weeks after our initial deployment, we started getting OOME too, on all nodes. Our system admin measured heap consumption and the resulting graphs show that it is constantly growing until an OOME is thrown out. We gathered a memory snapshot and it showed that majority of the heap was occupied by tickets. I switched on a ticket registry cleaner job in ticketRegistry.xml and scheduled it to run every hour: bean id=triggerJobDetailTicketRegistryCleaner class=org.springframework.scheduling.quartz.SimpleTriggerBean p:jobDetail-ref=jobDetailTicketRegistryCleaner p:startDelay=2 p:repeatInterval=360 / The documentation at http://jasig.github.io/cas/4.0.0/installation/Ehcache-Ticket-Registry.html says that the cleaner is not necessary when you use EhCache. Now I'm not sure if I can trust it or not. To be sure, I will keep the cleaner active. Do you have the cleaner enabled or not? We are going to perform a test that should show if tickets are cleaned or not. I have also found that EhCache is able to limit the heap memory consumed by its caches: http://ehcache.org/generated/2.9.0/html/ehc-all/#page/Ehcache_Documentation_Set%2Fco-size_sizing_attributes.html%23 So I tried the following in ehcache-replicated.xml: ehcache name=ehCacheTicketRegistryCache updateCheck=false maxBytesLocalHeap=256M maxBytesLocalDisk=10G xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;http://www.w3.org/2001/XMLSchema-instance xsi:noNamespaceSchemaLocation=http://ehcache.org/ehcache.xsd;http://ehcache.org/ehcache.xsd Unfortunately, it does not work together with Spring's EhCache support used by CAS. EhCacheFactoryBean always provides a limit of the number of elements (even if we do not specify it), which clashes with the heap memory limit and an error is thrown out on startup. In order to use the heap memory limit, we would have to provide a replacement of EhCacheFactoryBean. Best Regards, Jarda -Original Message- From: David A. Kovacic [mailto:d...@case.edu] Sent: 14. November 2014 3:30 odp. To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue All, For the the second time both of our SSO servers running under Tomcat ran out of heap memory last night. They had been up about 7 days straight with no restarts. It looks like they again ran out of memory at about 1GB used (which seems to be the default Java heap size
RE: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue
Hi David! We have CAS 4.0.0, also with Eh-Cache-based ticket registry, on a 4-node cluster. Our configuration of EhCache is almost identical to yours. Two weeks after our initial deployment, we started getting OOME too, on all nodes. Our system admin measured heap consumption and the resulting graphs show that it is constantly growing until an OOME is thrown out. We gathered a memory snapshot and it showed that majority of the heap was occupied by tickets. I switched on a ticket registry cleaner job in ticketRegistry.xml and scheduled it to run every hour: bean id=triggerJobDetailTicketRegistryCleaner class=org.springframework.scheduling.quartz.SimpleTriggerBean p:jobDetail-ref=jobDetailTicketRegistryCleaner p:startDelay=2 p:repeatInterval=360 / The documentation at http://jasig.github.io/cas/4.0.0/installation/Ehcache-Ticket-Registry.html says that the cleaner is not necessary when you use EhCache. Now I'm not sure if I can trust it or not. To be sure, I will keep the cleaner active. Do you have the cleaner enabled or not? We are going to perform a test that should show if tickets are cleaned or not. I have also found that EhCache is able to limit the heap memory consumed by its caches: http://ehcache.org/generated/2.9.0/html/ehc-all/#page/Ehcache_Documentation_Set%2Fco-size_sizing_attributes.html%23 So I tried the following in ehcache-replicated.xml: ehcache name=ehCacheTicketRegistryCache updateCheck=false maxBytesLocalHeap=256M maxBytesLocalDisk=10G xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:noNamespaceSchemaLocation=http://ehcache.org/ehcache.xsd; Unfortunately, it does not work together with Spring's EhCache support used by CAS. EhCacheFactoryBean always provides a limit of the number of elements (even if we do not specify it), which clashes with the heap memory limit and an error is thrown out on startup. In order to use the heap memory limit, we would have to provide a replacement of EhCacheFactoryBean. Best Regards, Jarda -Original Message- From: David A. Kovacic [mailto:d...@case.edu] Sent: 14. November 2014 3:30 odp. To: cas-user@lists.jasig.org Subject: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue All, For the the second time both of our SSO servers running under Tomcat ran out of heap memory last night. They had been up about 7 days straight with no restarts. It looks like they again ran out of memory at about 1GB used (which seems to be the default Java heap size). We have lots of memory available on those servers so the last time this happened, we thought to increase the max heap size to 2GB. Our research had indicated that to increase heap memory for a Java app running under Tomcat you need to add the following line in the Tomcat CATALINA_HOME/bin/setenv.sh file: CATALINA_OPTS=-Xms1000m -Xmx2000m Supposedly according to our research, this increases minimum heap size to 1000MB and max heap size to 2000MB (just under 1GB and 2GB respectively). This is all running under RHEL 6 with Tomcat 7.0.54 and Oracle Java jdk1.8.0_05. Is there something we are missing here? Do we need to do something to tell Tomcat that it needs to allocate more memory than the default to the CAS application itself? The only applications we are running under Tomcat are the CAS webapp and the CAS management webapp which is pretty much idle all the time. We relaod services using the default 2 minute timer in both CAS and CAS-management. This is a fairly major issue for us as we are in the middle of our student registration period and we are seeing huge usage from Blackboard during the late-night hours (which is perversely when these servers tend to run out of heap). People are beginning to take a very jaundiced view of the supposedly improved SSO service that our move from RubyCAS was supposed to give them. Dave -- You are currently subscribed to cas-user@lists.jasig.org as: jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user Join IDC beginning October 29, 2014 through January 29, 2015 for: IDC's 2015 Predictions and IDC FutureScapes Web Conference Serieswww.idc.com/predictions2015 Accelerating Innovation on the 3rd Platform Register Nowhttp://event.on24.com/r.htm?e=861361s=1k=223AFC21785863D975C9D80CEE2A97C2 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] EhCache Registry Exception
Hi Geoffrey! Most likely it's because of missing parent=abstractTicketCache in the definition of bean ticketGrantingTicketCache. Try adding it there, like it is for serviceTicketCache. I know it was missing in the on-line documentation but should be already fixed. Best Regards, Jarda From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu] Sent: 6. November 2014 8:32 odp. To: cas-user@lists.jasig.org Subject: [cas-user] EhCache Registry Exception I'm implementing the EhCache Ticket registry and I'm noticing something odd in my logs. Specifically, I'm seen that the TGT cache manager is different from the ST cache manager. I believe my config should make them the same. I've included my logs and config below. 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - serviceTicketsCache.maxElementsInMemory=1 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - serviceTicketsCache.maxElementsOnDisk=0 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - serviceTicketsCache.isOverflowToDisk=false 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - serviceTicketsCache.timeToLive=300 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - serviceTicketsCache.timeToIdle=0 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - serviceTicketsCache.cacheManager=ticketRegistryCacheManager 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - ticketGrantingTicketsCache.maxElementsInMemory=1 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - ticketGrantingTicketsCache.maxElementsOnDisk=1000 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - ticketGrantingTicketsCache.isOverflowToDisk=true 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - ticketGrantingTicketsCache.timeToLive=0 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - ticketGrantingTicketsCache.timeToIdle=7201 2014-11-06 14:19:14,366 DEBUG [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - ticketGrantingTicketsCache.cacheManager=__DEFAULT__ -- Why is this not the same as for the service tickets? Contents of TicketRegistry.xml bean id=cacheManager class=org.springframework.cache.ehcache.EhCacheManagerFactoryBean property name=configLocation value=file:C:\Program Files\cas-server-4.0.0\Log4jXMLs\ehcache-replicated.xml / property name=shared value=false / property name=cacheManagerName value=ticketRegistryCacheManager / /bean bean id=ticketRegistry class=org.jasig.cas.ticket.registry.EhCacheTicketRegistry p:serviceTicketsCache-ref=serviceTicketsCache p:ticketGrantingTicketsCache-ref=ticketGrantingTicketsCache / bean id=abstractTicketCache class=org.springframework.cache.ehcache.EhCacheFactoryBean abstract=true property name=cacheManager ref=cacheManager / property name=diskExpiryThreadIntervalSeconds value=0 / property name=diskPersistent value=false / property name=eternal value=false / property name=maxElementsInMemory value=1 / property name=maxElementsOnDisk value=0 / property name=memoryStoreEvictionPolicy value=LRU / property name=overflowToDisk value=false / property name=bootstrapCacheLoader ref local=ticketCacheBootstrapCacheLoader / /property /bean bean id=serviceTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean parent=abstractTicketCache property name=cacheName value=org.jasig.cas.ticket.ServiceTicket / property name=cacheEventListeners ref local=ticketRMISynchronousCacheReplicator / /property property name=timeToIdle value=0 / property name=timeToLive value=300 / /bean bean id=ticketGrantingTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean property name=cacheName value=org.jasig.cas.ticket.TicketGrantingTicket / property name=cacheEventListeners ref local=ticketRMIAsynchronousCacheReplicator / /property property name=timeToIdle value=7201 / property name=timeToLive value=0 / /bean bean id=ticketRMISynchronousCacheReplicator class=net.sf.ehcache.distribution.RMISynchronousCacheReplicator constructor-arg name=replicatePuts value=true / constructor-arg name=replicatePutsViaCopy value=true / constructor-arg name=replicateUpdates value=true / constructor-arg name=replicateUpdatesViaCopy value=true / constructor-arg name=replicateRemovals value=true / /bean bean id=ticketRMIAsynchronousCacheReplicator class=net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator parent=ticketRMISynchronousCacheReplicator constructor-arg name=replicationInterval value=1 / constructor-arg name=maximumBatchSize
RE: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk
Thank you for your answer, Misagh. Here is the issue: https://issues.jasig.org/browse/CAS-1486 Best Regards, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 16. October 2014 10:13 odp. To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk Please open an issue and we'll investigate this. It's likely that service ticket objects are missing the setting that would allow them overflow to disk. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Thursday, October 16, 2014 5:43 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk Hello everyone! I use CAS 4.0.0 in a cluster of 2 nodes. I configured the ticket registry using EhCache, as described here: http://jasig.github.io/cas/4.0.0/installation/Ehcache-Ticket-Registry.html I have disk overflow set to true: bean id=abstractTicketCache abstract=true class=org.springframework.cache.ehcache.EhCacheFactoryBean p:cacheManager-ref=cacheManager p:diskExpiryThreadIntervalSeconds=0 p:diskPersistent=false p:eternal=false p:maxElementsInMemory=1 p:maxElementsOnDisk=2 p:memoryStoreEvictionPolicy=LRU p:overflowToDisk=true p:bootstrapCacheLoader-ref=ticketCacheBootstrapCacheLoader / bean id=serviceTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean parent=abstractTicketCache p:cacheName=cas_st p:timeToIdle=0 p:timeToLive=300 p:cacheEventListeners-ref=serviceTicketRMISynchronousCacheReplicator / My problem is that from time to time, I get an error when the ticket registry decides to save tickets (STs or TGTs) to disk. An exception is logged in the log, saying that net.sf.ehcache.Cache is not serializable (which is true). Here is an example of the exception: 2014-10-09 10:18:59,266 ERROR [net.sf.ehcache.store.disk.DiskStorageFactory] - Disk Write of ST-18-sE417I7BTdfhABdhRMNQ-idc-cas-4 failed: java.io.NotSerializableException: net.sf.ehcache.Cache at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:438) at net.sf.ehcache.Element.writeObject(Element.java:851) at sun.reflect.GeneratedMethodAccessor138.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:975) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1480) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346) at net.sf.ehcache.util.MemoryEfficientByteArrayOutputStream.serialize(MemoryEfficientByteArrayOutputStream.java:97) at net.sf.ehcache.store.disk.DiskStorageFactory.serializeElement(DiskStorageFactory.java:399) at net.sf.ehcache.store.disk.DiskStorageFactory.write(DiskStorageFactory.java:381) at net.sf.ehcache.store.disk.DiskStorageFactory$DiskWriteTask.call(DiskStorageFactory.java:473) at net.sf.ehcache.store.disk.DiskStorageFactory$PersistentDiskWriteTask.call(DiskStorageFactory.java:1067) at net.sf.ehcache.store.disk.DiskStorageFactory$PersistentDiskWriteTask.call(DiskStorageFactory.java:1051) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292
RE: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk
Sure, here it is: https://github.com/Jasig/cas/issues/724 I wondered why there were only 4 open tickets in Jira :) Thank you very much, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 17. October 2014 10:37 dop. To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk I hate to ask you this, but would you be kind enough to submit the issue on github instead? JIRA is no longer relevant for the CAS server project. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Friday, October 17, 2014 1:27 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk Thank you for your answer, Misagh. Here is the issue: https://issues.jasig.org/browse/CAS-1486 Best Regards, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 16. October 2014 10:13 odp. To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk Please open an issue and we'll investigate this. It's likely that service ticket objects are missing the setting that would allow them overflow to disk. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Thursday, October 16, 2014 5:43 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk Hello everyone! I use CAS 4.0.0 in a cluster of 2 nodes. I configured the ticket registry using EhCache, as described here: http://jasig.github.io/cas/4.0.0/installation/Ehcache-Ticket-Registry.html I have disk overflow set to true: bean id=abstractTicketCache abstract=true class=org.springframework.cache.ehcache.EhCacheFactoryBean p:cacheManager-ref=cacheManager p:diskExpiryThreadIntervalSeconds=0 p:diskPersistent=false p:eternal=false p:maxElementsInMemory=1 p:maxElementsOnDisk=2 p:memoryStoreEvictionPolicy=LRU p:overflowToDisk=true p:bootstrapCacheLoader-ref=ticketCacheBootstrapCacheLoader / bean id=serviceTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean parent=abstractTicketCache p:cacheName=cas_st p:timeToIdle=0 p:timeToLive=300 p:cacheEventListeners-ref=serviceTicketRMISynchronousCacheReplicator / My problem is that from time to time, I get an error when the ticket registry decides to save tickets (STs or TGTs) to disk. An exception is logged in the log, saying that net.sf.ehcache.Cache is not serializable (which is true). Here is an example of the exception: 2014-10-09 10:18:59,266 ERROR [net.sf.ehcache.store.disk.DiskStorageFactory] - Disk Write of ST-18-sE417I7BTdfhABdhRMNQ-idc-cas-4 failed: java.io.NotSerializableException: net.sf.ehcache.Cache at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:438) at net.sf.ehcache.Element.writeObject(Element.java:851) at sun.reflect.GeneratedMethodAccessor138.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:975) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1480) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346) at net.sf.ehcache.util.MemoryEfficientByteArrayOutputStream.serialize(MemoryEfficientByteArrayOutputStream.java:97) at net.sf.ehcache.store.disk.DiskStorageFactory.serializeElement(DiskStorageFactory.java:399) at net.sf.ehcache.store.disk.DiskStorageFactory.write
[cas-user] CAS 4 + EhCache-based ticket cache - Errors when storing tickets to disk
Hello everyone! I use CAS 4.0.0 in a cluster of 2 nodes. I configured the ticket registry using EhCache, as described here: http://jasig.github.io/cas/4.0.0/installation/Ehcache-Ticket-Registry.html I have disk overflow set to true: bean id=abstractTicketCache abstract=true class=org.springframework.cache.ehcache.EhCacheFactoryBean p:cacheManager-ref=cacheManager p:diskExpiryThreadIntervalSeconds=0 p:diskPersistent=false p:eternal=false p:maxElementsInMemory=1 p:maxElementsOnDisk=2 p:memoryStoreEvictionPolicy=LRU p:overflowToDisk=true p:bootstrapCacheLoader-ref=ticketCacheBootstrapCacheLoader / bean id=serviceTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean parent=abstractTicketCache p:cacheName=cas_st p:timeToIdle=0 p:timeToLive=300 p:cacheEventListeners-ref=serviceTicketRMISynchronousCacheReplicator / My problem is that from time to time, I get an error when the ticket registry decides to save tickets (STs or TGTs) to disk. An exception is logged in the log, saying that net.sf.ehcache.Cache is not serializable (which is true). Here is an example of the exception: 2014-10-09 10:18:59,266 ERROR [net.sf.ehcache.store.disk.DiskStorageFactory] - Disk Write of ST-18-sE417I7BTdfhABdhRMNQ-idc-cas-4 failed: java.io.NotSerializableException: net.sf.ehcache.Cache at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1493) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:438) at net.sf.ehcache.Element.writeObject(Element.java:851) at sun.reflect.GeneratedMethodAccessor138.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:975) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1480) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346) at net.sf.ehcache.util.MemoryEfficientByteArrayOutputStream.serialize(MemoryEfficientByteArrayOutputStream.java:97) at net.sf.ehcache.store.disk.DiskStorageFactory.serializeElement(DiskStorageFactory.java:399) at net.sf.ehcache.store.disk.DiskStorageFactory.write(DiskStorageFactory.java:381) at net.sf.ehcache.store.disk.DiskStorageFactory$DiskWriteTask.call(DiskStorageFactory.java:473) at net.sf.ehcache.store.disk.DiskStorageFactory$PersistentDiskWriteTask.call(DiskStorageFactory.java:1067) at net.sf.ehcache.store.disk.DiskStorageFactory$PersistentDiskWriteTask.call(DiskStorageFactory.java:1051) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:722) Has anybody experienced a similar error? I searched on the Internet but did not find any relevant report. It seems that CAS tickets indirectly reference the cache which causes Java runtime to try to serialize it too. Unfortunately I haven't found the path from tickets to caches yet. A quick workaround would be to set disk overflow to false, I believe, but I'd like to keep it switched on to be able handle bigger loads. Any help or hint would be much appreciated! Best Regards, Jarda
RE: [cas-user] Does CAS 4 generate cookies ? I can't find any ?
Hi Jay! Yes, it does. After logon, I can see these 2 cookies issued by CAS: CASTGC, JSESSIONID. I use Firefox + Firebug to inspect cookies and I never experienced any problems seeing them. Best Regards, Jarda From: Jayakumar Jayaraman [mailto:india@gmail.com] Sent: 8. October 2014 11:29 dop. To: cas-user@lists.jasig.org Subject: [cas-user] Does CAS 4 generate cookies ? I can't find any ? Hi Guys Does CAS 4 generate cookies ? I can't find any ? I have setup CAS 4 and able to successfully authenticate against LDAP. After successfully login I tried to see if there are any cookies generated by CAS in the chrome browser. But I could only see one cookie JSESSIONID and nothing more for CAS ? I thought CAS would use cookies to manage the SSO ? Please clarify ? My server logs has these entries 2014-10-08 10:20:42,165 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY] Added cookie with name [CASTGC] and value [TGT-1-ITQe7FI0s31UIf6TtmeMN09c9yg9e4At4ibdAm2SrSEfwFbTAR-cas01.eba.europa.eu] Thanks Jay -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jka...@idc.commailto:jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4 and EhCache Ticket Registry - Online documentation
Thank you, Misagh! Jarda -Original Message- From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 6. October 2014 6:33 odp. To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4 and EhCache Ticket Registry - Online documentation Corrected the docs. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 4 and EhCache Ticket Registry - Online documentation
Hello everyone! I'd like to ask a question on the on-line documentation at: http://jasig.github.io/cas/4.0.0/installation/Ehcache-Ticket-Registry.html The Spring setup has 2 beans for ticket caches: serviceTicketsCache and ticketGrantingTicketsCache. The first one is based on abstract bean abstractTicketCache but the second one is not, so some properties may not be set or set to their default values. Is this an intention or an omission? If this is an omission, could someone add the missing line parent=abstractTicketCache ? Thank you Best regards, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4 and EhCache Ticket Registry - Online documentation
Thanks, Tom. I thought so but wasn't sure. Surprisingly, it worked without the parent set, too, probably thanks to default values. Best Regards, Jarda -Original Message- From: Tom Poage [mailto:tfpo...@ucdavis.edu] Sent: 6. October 2014 4:42 odp. To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS 4 and EhCache Ticket Registry - Online documentation As I recall, that's an omission. In 3.5.x at least, both entries needed parent=abstractTicketCache. Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ?
Hi Misagh! Thank you for your answer! Finally I made it work without the removed class :) I had to import the following states into my custom web flow instead of the missing view selector: action-state id=successRedirect evaluate expression=flowScope.service.getResponse(requestScope.serviceTicketId) result-type=org.jasig.cas.authentication.principal.Response result=requestScope.response / transition to=postRedirectDecision / /action-state decision-state id=postRedirectDecision if test=requestScope.response.responseType.name() == 'POST' then=postView else=redirectView / /decision-state end-state id=postView view=postResponseView on-entry set name=requestScope.parameters value=requestScope.response.attributes / set name=requestScope.originalUrl value=flowScope.service.id / /on-entry /end-state end-state id=redirectView view=externalRedirect:#{requestScope.response.url} / I took them from the Login webflow, little adapted and it started working. Best Regards, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 15. September 2014 5:33 odp. To: cas-user@lists.jasig.org Subject: RE: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ? Yes, you are directed back to the application via the service parameter in a GET mode. If you need post, specify method=POST to the /login endpoint. These are still handled by the webflow, but without the need for that exact class. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Monday, September 15, 2014 8:26 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: RE: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ? Hello Misagh! Thank you for your answer. Yes, I also think the class works exactly as you described it. I still have doubts: Will CAS redirect me properly if this is a custom webflow, not present in the original CAS? Whenever a web-flow finishes, will CAS detect it and redirect me to the URL of the service parameter? This looks like a lot of magic :) Thank you, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 15. September 2014 4:53 odp. To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: RE: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ? I am reading the class right, looks like that particular selector used to determine how the flow control should be handled back to the application, whether it's a POST, etc. If so, you no longer need it. CAS through other means either redirects you back to the app, or directs you to a POST view where data is posted back to the app. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Monday, September 15, 2014 6:18 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ? Hello everyone! I'd like to ask whether there is a replacement for class org.jasig.cas.web.flow.DynamicRedirectViewSelector in CAS 4.x. I have a custom webflow in our CAS 3.x, which depends on this class. And now I am migrating this webflow to CAS 4.0. I have an end state which has a view defined using the selector: end-state id=successRedirect view=bean:dynamicRedirectViewSelector/ And the bean is defined like this: bean id=dynamicRedirectViewSelector class=org.jasig.cas.web.flow.DynamicRedirectViewSelector/ I have found that the interface ViewSelector (implemented by DynamicRedirectViewSelector) from Spring WebFlow 1.x has also been removed. In the WebFlow XSD, I found that a view factory from Spring WebFlow 2.x can be used instead: For exotic usages, you may plug in a custom ViewFactory bean you define: #{myCustomViewFactory}. So, I'd like to ask: 1. Is there a direct replacement for DynamicRedirectViewSelector that could be used right away? 2. If not, is implementing a custom ViewFactory a viable way to achieve what DynamicRedirectViewSelector did before? Thank you very much for your answers! Best Regards, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.commailto:jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mmoay...@unicon.netmailto:mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jka...@idc.commailto:jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mmoay...@unicon.netmailto:mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user
[cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ?
Hello everyone! I'd like to ask whether there is a replacement for class org.jasig.cas.web.flow.DynamicRedirectViewSelector in CAS 4.x. I have a custom webflow in our CAS 3.x, which depends on this class. And now I am migrating this webflow to CAS 4.0. I have an end state which has a view defined using the selector: end-state id=successRedirect view=bean:dynamicRedirectViewSelector/ And the bean is defined like this: bean id=dynamicRedirectViewSelector class=org.jasig.cas.web.flow.DynamicRedirectViewSelector/ I have found that the interface ViewSelector (implemented by DynamicRedirectViewSelector) from Spring WebFlow 1.x has also been removed. In the WebFlow XSD, I found that a view factory from Spring WebFlow 2.x can be used instead: For exotic usages, you may plug in a custom ViewFactory bean you define: #{myCustomViewFactory}. So, I'd like to ask: 1. Is there a direct replacement for DynamicRedirectViewSelector that could be used right away? 2. If not, is implementing a custom ViewFactory a viable way to achieve what DynamicRedirectViewSelector did before? Thank you very much for your answers! Best Regards, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ?
Hello Misagh! Thank you for your answer. Yes, I also think the class works exactly as you described it. I still have doubts: Will CAS redirect me properly if this is a custom webflow, not present in the original CAS? Whenever a web-flow finishes, will CAS detect it and redirect me to the URL of the service parameter? This looks like a lot of magic :) Thank you, Jarda From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: 15. September 2014 4:53 odp. To: cas-user@lists.jasig.org Subject: RE: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ? I am reading the class right, looks like that particular selector used to determine how the flow control should be handled back to the application, whether it's a POST, etc. If so, you no longer need it. CAS through other means either redirects you back to the app, or directs you to a POST view where data is posted back to the app. From: Jaroslav Kacer [mailto:jka...@idc.com] Sent: Monday, September 15, 2014 6:18 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] Replacement for DynamicRedirectViewSelector in CAS 4.x ? Hello everyone! I'd like to ask whether there is a replacement for class org.jasig.cas.web.flow.DynamicRedirectViewSelector in CAS 4.x. I have a custom webflow in our CAS 3.x, which depends on this class. And now I am migrating this webflow to CAS 4.0. I have an end state which has a view defined using the selector: end-state id=successRedirect view=bean:dynamicRedirectViewSelector/ And the bean is defined like this: bean id=dynamicRedirectViewSelector class=org.jasig.cas.web.flow.DynamicRedirectViewSelector/ I have found that the interface ViewSelector (implemented by DynamicRedirectViewSelector) from Spring WebFlow 1.x has also been removed. In the WebFlow XSD, I found that a view factory from Spring WebFlow 2.x can be used instead: For exotic usages, you may plug in a custom ViewFactory bean you define: #{myCustomViewFactory}. So, I'd like to ask: 1. Is there a direct replacement for DynamicRedirectViewSelector that could be used right away? 2. If not, is implementing a custom ViewFactory a viable way to achieve what DynamicRedirectViewSelector did before? Thank you very much for your answers! Best Regards, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.commailto:jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mmoay...@unicon.netmailto:mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jka...@idc.commailto:jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 4.0.0 behind a load balancer -- Login form issue
Dear CAS users, I have two instances of CAS 4.0.0 in a cluster, with a load balancer in front of them. The balancer has 2 ports open: 8080 for HTTP and 8443 for HTTPS. The nodes have only HTTP open - 8084 - and all traffic from the balancer is forwarded to this port, i.e. HTTPS is terminated on the balancer. I cannot change the balancer configuration, so opening an HTTPS port will do nothing. With this configuration, I ran into some issues: - CAS thought it was running on an unsecure port (which was technically correct) - Some URLs generated by a CAS plugin were incorrect (e.g. http://host:8443/something), the unsecure protocol was mixed with the secure port. I did some research and found a solution on this mailing list here: https://groups.google.com/forum/#!topic/jasig-cas-user/woCEKAA-E2w Now my Tomcat connector config (server.xml) looks like this: Connector port=8084 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 proxyPort=8443 scheme=https secure=true / The above issues have been resolved but another one has appeared: The login form seems to have stopped working. Any POST of the login form to .../login results in a redirect to the same URL, using GET. No ticket-granting ticket is created and nothing is written to the log, neither an audit record nor an error. The redirected URL simply displays the login form again. Here are HTTP headers of the original POST request: Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate Accept-Language en-US,en;q=0.5 Connection keep-alive Cookie JSESSIONID=716D5C355EEAEA402CD3C74DB65256C9; s_nr=1408087372966-Repeat; s_lv=1408087372966; _ga=GA1.2.963000228.1404480273; s_vnum=1410007455210%26vn%3D4 Host qacas4.idc.com:8443 Referer https://my-balancer-host-name:8443/cas/login User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Parameters of the POST: _eventId submit execution e4s1 lt LT-4-anbT64BEcaWOZJdfEejhYbfAzV1X9j-idc-cas-4 password Mellon submit LOGIN username casuser And the response: Cache-Control no-cache, no-store Content-Length 0 Date Fri, 22 Aug 2014 14:25:24 GMT Expires Thu, 01 Jan 1970 00:00:00 GMT Location https://my-balancer-host-name:8443/cas/login Pragma no-cache Server Apache-Coyote/1.1 Set-Cookie JSESSIONID=A9FB2F64E0A5A9167BCEDC60C4DFAC3F; Path=/cas/; Secure; HttpOnly Has anybody successfully deployed CAS 4.0.0 in a cluster behind a load balancer with a similar configuration? If yes, did you run into the same issues? It looks like something inside CAS (maybe a security check or so) is preventing the ticket from being created. Maybe this feature is new in CAS 4 and my connector configuration would work fine with CAS 3, I don't know. Thank you very much for your replies! Best Regards, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS 4.0.0 behind a load balancer -- Login form issue
It seems I have found the cause of my problems. And it is not inside CAS :) It seems our load balancer is not properly set; sticky session are likely switched off. If the first GET request and the second POST request are handled by the same node, everything works fine. However, if they are handled by different nodes, the above error occurs. I apologize to anyone reading my previous long post! Have a nice weekend, everybody, Jarda -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.commailto:jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS 4.1 - Any release date planned?
Hi Jerome! Thank you for your reply. Finally I decided to use 4.0.0 and to port back the changes in the PAC4J plugin made in 4.1.x. I compared the two versions and the changes seem to be minimal (POM + 2 classes), so I believe it won’t be hard. Best Regards, Jarda From: Jérôme LELEU [mailto:lel...@gmail.com] Sent: 5. August 2014 2:56 odp. To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS 4.1 - Any release date planned? Hi, I like people needing the new pac4j version ;-) So far, we haven't said anything about the release date. 4.0 was released in May so I personaly would not expect anything before the end of the year... Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.comhttp://www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cashttp://www.jasig.org/cas | Creator of pac4j: www.pac4j.orghttp://www.pac4j.org 2014-08-05 10:58 GMT+02:00 Jaroslav Kacer jka...@idc.commailto:jka...@idc.com: Dear CAS users/developers, I’d like to ask whether there is any planned release date of CAS 4.1. We plan to upgrade our company CAS server and there are some new features in 4.1 we’d like to use, namely the integration with PAC4J. Unfortunately I was not able to find anything about 4.1 at the Roadmap page (https://wiki.jasig.org/display/CAS/CAS+Roadmap). Thank you in advance for your answer! Best Regards, -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123tel:%2B420723914123 Mail: jka...@idc.commailto:jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: lel...@gmail.commailto:lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jka...@idc.commailto:jka...@idc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 4.1 - Any release date planned?
Dear CAS users/developers, I'd like to ask whether there is any planned release date of CAS 4.1. We plan to upgrade our company CAS server and there are some new features in 4.1 we'd like to use, namely the integration with PAC4J. Unfortunately I was not able to find anything about 4.1 at the Roadmap page (https://wiki.jasig.org/display/CAS/CAS+Roadmap). Thank you in advance for your answer! Best Regards, -- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hi Julien! I just would like to inform you about my current status of integrating CAS with a SAML IdP. Unfortunately I did not get over the WebFlow issue in the SAML2 plugin. Then I tried the PAC4J library (which you advised me to use) with a corresponding CAS plugin and I succeeded :-) I used the following components: CAS 4.1.0-SNAPSHOT - not yet released, checked out from GitHub PAC4J Core + SAML 1.5.1 CAS PAC4J OAuth Client Demo 1.0.0-SNAPSHOT from GitHub Shibboleth IdP test server at https://idp.testshib.org/ I had to make a few minor modifications in CAS and the demo, register my metadata at IdP's side and then I successfully authenticated :-) The reason for the snapshot version is (I think) that CAS 4.0.0 still depends on PAC4J 1.4.1, which does not have SAML support. I think I will use this method, the only drawback is I will have to migrate CAS to the newest version. I hope this info will be useful for others as well. Thank you once again for your support! Best Regards, Jarda From: Julien Gribonvald julien.gribonv...@recia.fr To: cas-user@lists.jasig.org Date: 30.06.2014 09:00 Subject:Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA Hello Jarda, Ok so : - for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a datasource (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes. For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2 after it uses some CAS module like cas-server-support-ldap that you should activate. - for the second : It's a cutom change to be able to authenticate over the cas from different CAS domains name but sharing the same sessionId over all (sub-)domain names that we manage, so you can remove this part and all related. Thanks Julien G. Le 27/06/2014 18:02, Jaroslav Kacer a écrit : Hello Julien (and others)! I have already achieved a state when CAS starts without problems with the plugin, however it throws an error when the user accesses the /login page. I'd like to ask two more questions about the plugin configuration. 1. Configuration in deployerConfigContext.xml: You provided me (see your email from 24/06/2014 12:38) with 2 Spring beans that should be inserted into deployerConfigContext.xml: emailAddressesCredsToPrincipal, which goes to authenticationManager/credentialsToPrincipalResolvers ldapEmailAddressesAuthenticationHandler, which goes to authenticationManager/authenticationHandlers Concerning ldapEmailAddressesAuthenticationHandler, I don't quite understand its purpose. I have looked into the source and it seems it only communicates with an LDAP server. Does it mean the plugin requires an LDAP server in addition to the SAML IdP? Because I expected that all user attributes would come from the IdP as attributes. I'm afraid I will have no LDAP server available for people authenticating via the SAML IdP. Or maybe I misunderstood something here... I would assume the deployerConfigContext.xml file will contain a handler that communicates with the IdP using SAML messages. But I can't find any in the source code, so maybe I am wrong. 2. Configuration in login-webflow.xml - expression initMultiDomainAction File login-webflow.xml now contains the following definition of initializeFlow: action-state id=initializeFlow evaluate expression=initialFlowSetupAction / evaluate expression=initMultiDomainAction attribute name=name value=initFinished / /evaluate transition on=initFinished.success to=checkSamlResponse / /action-state When I try to go to the /login page, I get an error and there is the following stack trace in the log: SEVERE: Servlet.service() for servlet [cas] in context with path [/cas-web-app] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction
Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hello Julien! Thank you very much for your answers! Concerning the LDAP: Now I know the partner company has an LDAP server, I just don't know if they can share it with us together with ADFS. If they can, fine, I will use the same approach you used. If not, I will try to implement a simple in-memory storage, as you suggest. Concerning the WebFlow beans: I'll try to remove it and see what happens. If it still does not work, I will have to learn Spring WebFlow :-) Thank you once again for your support! Best Regards, Jarda From: Julien Gribonvald julien.gribonv...@recia.fr To: cas-user@lists.jasig.org Date: 30.06.2014 09:00 Subject:Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA Hello Jarda, Ok so : - for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a datasource (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes. For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2 after it uses some CAS module like cas-server-support-ldap that you should activate. - for the second : It's a cutom change to be able to authenticate over the cas from different CAS domains name but sharing the same sessionId over all (sub-)domain names that we manage, so you can remove this part and all related. Thanks Julien G. Le 27/06/2014 18:02, Jaroslav Kacer a écrit : Hello Julien (and others)! I have already achieved a state when CAS starts without problems with the plugin, however it throws an error when the user accesses the /login page. I'd like to ask two more questions about the plugin configuration. 1. Configuration in deployerConfigContext.xml: You provided me (see your email from 24/06/2014 12:38) with 2 Spring beans that should be inserted into deployerConfigContext.xml: emailAddressesCredsToPrincipal, which goes to authenticationManager/credentialsToPrincipalResolvers ldapEmailAddressesAuthenticationHandler, which goes to authenticationManager/authenticationHandlers Concerning ldapEmailAddressesAuthenticationHandler, I don't quite understand its purpose. I have looked into the source and it seems it only communicates with an LDAP server. Does it mean the plugin requires an LDAP server in addition to the SAML IdP? Because I expected that all user attributes would come from the IdP as attributes. I'm afraid I will have no LDAP server available for people authenticating via the SAML IdP. Or maybe I misunderstood something here... I would assume the deployerConfigContext.xml file will contain a handler that communicates with the IdP using SAML messages. But I can't find any in the source code, so maybe I am wrong. 2. Configuration in login-webflow.xml - expression initMultiDomainAction File login-webflow.xml now contains the following definition of initializeFlow: action-state id=initializeFlow evaluate expression=initialFlowSetupAction / evaluate expression=initMultiDomainAction attribute name=name value=initFinished / /evaluate transition on=initFinished.success to=checkSamlResponse / /action-state When I try to go to the /login page, I get an error and there is the following stack trace in the log: SEVERE: Servlet.service() for servlet [cas] in context with path [/cas-web-app] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction@709f98e4 targetAction = [EvaluateAction@7deeda7f expression = initMultiDomainAction, resultExpression = [null]], attributes = map['name' - 'initFinished']] in state 'initializeFlow' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause ognl.NoSuchPropertyException: org.springframework.webflow.engine.impl.RequestControlContextImpl.initMultiDomainAction at ognl.ObjectPropertyAccessor.getProperty(ObjectPropertyAccessor.java:151
Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
in CAS 4 pac4j with somes examples (not the SAML but it's a begining). But if you go on this solution please give a feed back ;) Thanks Julien Gribonvald Le 24/06/2014 12:38, Julien Gribonvald a écrit : Hi, I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more generic as pac4j comes). This toolbox (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ? Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas). About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works. After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/ sample-* but i think you don't have to modify a lot, setting all properties should do the works. And the properties in config.properties should be added in the original file cas.properties. If I look on our deployment and something that i don't see in the source are : - in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example : bean id=emailAddressesCredsToPrincipal class=org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver property name=attributeRepository ref=attributeRepository / /bean bean id=ldapEmailAddressesAuthenticationHandler class=org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler property name=searchBase value=${ldap.basedn} / property name=contextSource ref=contextSource / property name=principalAttributeName value=${ldap.identifier.attribute} / property name=timeout value=5000 / property name=authenticationLdapFiltersArray value=${ldap.authentication.email.filters} / /bean - in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml I hope this will help, but don't hesitate to ask, i can provide some other examples... After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin. Thanks Julien Gribonvald Le 24/06/2014 11:09, Jaroslav Kacer a écrit : Hello everybody! I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard ( https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again. The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line. I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata. Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-) Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there? I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later. It would be great if the documentation for the plugin could be more elaborated, mainly
[cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hello everybody! I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard ( https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again. The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line. I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata. Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-) Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there? I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later. It would be great if the documentation for the plugin could be more elaborated, mainly the section Plugin Configuration. I've already spent 2 days putting CAS and the plugin together. Or is there anything else than the ReadMe.md file from Github? Thank you in advance for your answer! Best Regards, Jarda Kacer, IDC -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hello Julien! Thank you very much for replying and helping me. PAC4J - I will definitely have a look, so far I haven't read anything about it. Could you please send the example of SP metadata directly to me or paste it inline? It seems the list does not accept attachments :-( Concerning the samples: Yes, this is the place where I took the files from, this seems to be OK, I managed to copy/merge them into CAS. I kept the properties files independent and added them to propertyFileConfigurer.xml. Concerning deployerConfigContext.xml: So far I haven't made any modifications here, thank you for pointing this out. I will post my results here when I finish, hopefully soon... And, any documentation is fine, even if it's only in French ( I speak French) :-) Best Regards, Jarda Kacer From: Julien Gribonvald julien.gribonv...@recia.fr To: cas-user@lists.jasig.org Date: 24.06.2014 12:39 Subject:Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA Hi, I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more generic as pac4j comes). This toolbox (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ? Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas). About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works. After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/ sample-* but i think you don't have to modify a lot, setting all properties should do the works. And the properties in config.properties should be added in the original file cas.properties. If I look on our deployment and something that i don't see in the source are : - in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example : bean id=emailAddressesCredsToPrincipal class=org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver property name=attributeRepository ref=attributeRepository / /bean bean id=ldapEmailAddressesAuthenticationHandler class=org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler property name=searchBase value=${ldap.basedn} / property name=contextSource ref=contextSource / property name=principalAttributeName value=${ldap.identifier.attribute} / property name=timeout value=5000 / property name=authenticationLdapFiltersArray value=${ldap.authentication.email.filters} / /bean - in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml I hope this will help, but don't hesitate to ask, i can provide some other examples... After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin. Thanks Julien Gribonvald Le 24/06/2014 11:09, Jaroslav Kacer a écrit : Hello everybody! I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard ( https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again. The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line. I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata. Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file
Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Great! Thanks a lot / merci beaucoup! Jarda From: Julien Gribonvald julien.gribonv...@recia.fr To: cas-user@lists.jasig.org Date: 24.06.2014 14:07 Subject:Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA With the attachment it's better I forgot to add it :-P Thanks Julien Le 24/06/2014 13:18, Jaroslav Kacer a écrit : Hello Julien! Thank you very much for replying and helping me. PAC4J - I will definitely have a look, so far I haven't read anything about it. Could you please send the example of SP metadata directly to me or paste it inline? It seems the list does not accept attachments :-( Concerning the samples: Yes, this is the place where I took the files from, this seems to be OK, I managed to copy/merge them into CAS. I kept the properties files independent and added them to propertyFileConfigurer.xml. Concerning deployerConfigContext.xml: So far I haven't made any modifications here, thank you for pointing this out. I will post my results here when I finish, hopefully soon... And, any documentation is fine, even if it's only in French ( I speak French) :-) Best Regards, Jarda Kacer From:Julien Gribonvald julien.gribonv...@recia.fr To:cas-user@lists.jasig.org Date:24.06.2014 12:39 Subject:Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA Hi, I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more generic as pac4j comes). This toolbox (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ? Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas). About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works. After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/ sample-* but i think you don't have to modify a lot, setting all properties should do the works. And the properties in config.properties should be added in the original file cas.properties. If I look on our deployment and something that i don't see in the source are : - in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example : bean id=emailAddressesCredsToPrincipal class=org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver property name=attributeRepository ref=attributeRepository / /bean bean id=ldapEmailAddressesAuthenticationHandler class=org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler property name=searchBase value=${ldap.basedn} / property name=contextSource ref=contextSource / property name=principalAttributeName value=${ldap.identifier.attribute} / property name=timeout value=5000 / property name=authenticationLdapFiltersArray value=${ldap.authentication.email.filters} / /bean - in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml I hope this will help, but don't hesitate to ask, i can provide some other examples... After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin. Thanks Julien Gribonvald Le 24/06/2014 11:09, Jaroslav Kacer a écrit : Hello everybody! I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard ( https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again. The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line. I have merged the provided sample XML configuration files with those of CAS