Re: [cas-user] CAS v4.0.6 is released
Thanks Carlos and Misagh Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Oct 23, 2015 at 2:07 PM, Misagh Moayyed <mmoay...@unicon.net> wrote: > Also, see http://jasig.github.io/cas/4.1.x/planning/Upgrade-Guide.html > > > > *From:* Carlos M. Fernández [mailto:cfern...@sju.edu] > *Sent:* Friday, October 23, 2015 1:21 PM > *To:* cas-user@lists.jasig.org > *Subject:* RE: [cas-user] CAS v4.0.6 is released > > > > Hi, Linda, > > > > I’m in the process of upgrading from 3.5.2.1 to 4.0.6 and already have an > instance of the new version running and working in development. I’d > recommend starting with a new overlay and POM, configuring those features > that you need or want carried over from the currently deployed version. > Most of the configuration files (specially deployerConfigContext.xml) > changed considerably between the two versions, so it’s easier to restart > from scratch. > > > > Custom themes do carry over without modification, though. I was able to > copy my custom view JSPs and properties without touching them. > > > > Best regards, > > -- > > Carlos M. Fernández > > Enterprise Systems Manager > > *Saint Joseph’s University* > > Philadelphia PA 19131 > > T: +1 610 660 1501 > > > > > > > > *From:* Linda Toth [mailto:ltt...@alaska.edu <ltt...@alaska.edu>] > *Sent:* Thursday, 22 October, 2015 20:41 > *To:* cas-user@lists.jasig.org > *Subject:* Re: [cas-user] CAS v4.0.6 is released > > > > Good evening. > > > > What is the recommended upgrade path from 3.5 to subsequent versions of > CAS? > > > Linda Toth > University of Alaska - Office of Information Technology (OIT) - Identity > and Access Management > > 910 Yukon Drive, Suite 103 > > Fairbanks, Alaska 99775 > > Tel: 907-450-8320 > > Fax: 907-450-8381 > > linda.t...@alaska.edu | www.alaska.edu/oit/ > > > > > > On Mon, Oct 19, 2015 at 2:23 PM, Misagh Moayyed <mmoay...@unicon.net> > wrote: > > CAS Community, > > CAS version 4.0.6 [1] has been released and should shortly make its way > into Maven central repositories, if not already. We encourage you to > integrate this release into your own CAS maven overlay environment and > provide feedback. Upgrading from a 4.0.x should be painless. You will find > the full changelog at the link provided below. > > Misagh > > > > [1] https://github.com/Jasig/cas/releases/tag/v4.0.6 > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: cfern...@sju.edu > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: > mmoay...@unicon.net > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS v4.0.6 is released
Good evening. What is the recommended upgrade path from 3.5 to subsequent versions of CAS? Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Oct 19, 2015 at 2:23 PM, Misagh Moayyed <mmoay...@unicon.net> wrote: > CAS Community, > > CAS version 4.0.6 [1] has been released and should shortly make its way > into Maven central repositories, if not already. We encourage you to > integrate this release into your own CAS maven overlay environment and > provide feedback. Upgrading from a 4.0.x should be painless. You will find > the full changelog at the link provided below. > > Misagh > > > > [1] https://github.com/Jasig/cas/releases/tag/v4.0.6 > <https://github.com/Jasig/cas/releases/tag/v4.0.4> > > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Drop the management webapp
Unfortunately, we are still at 3.4.2 and have frequent additions to the CAS registry - however, we could insert them via the Database until moving to the JSON registry .. honestly, by the time I find a way to migrate our unusual authentication policies from this version to even 3.5.2, you all will have a different solution anyhow. We can adjust. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Jul 27, 2015 at 5:34 AM, Jérôme LELEU lel...@gmail.com wrote: Hi, It's already possible to reload the services periodically from database for example, but not when it's defined in the Spring context. With the new JSON services registry, the services are automatically created, updated and deleted. Best regards, Jérôme 2015-07-27 15:20 GMT+02:00 Ourada, John jour...@depaul.edu: Ours changes very infrequently also, but has started changing more now that we have external apps that need to authenticate. Those require a manual entry in the deployer config file. It requires a manual restart of CAS application to reload them. I haven’t looked at 4.1 yet, but it would be nice if the app would look for updated service registry files and reloaded them periodically. -john *From:* Christopher Myers [mailto:cmy...@mail.millikin.edu] *Sent:* Monday, July 27, 2015 7:16 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Drop the management webapp Honestly, our CAS configuration changes so infrequently that we don't even need to use a regular service registry; we just have our configs stored in the deployerConfigContext.xml file directly. Chris Jérôme LELEUlel...@gmail.com 07/26/15 9:08 AM Hi, The CAS service model has strongly evolved for the CAS server v4.1 and the powerful new policies are hard to define through a UI. Maintining this webapp requires a lot of work. The default services registry is now based on JSON files which also makes manual editing a lot easier. I'm in favor of dropping the CAS management webapp or maybe first moving it into a separate project. I'd like to get feedbacks on this idea: do CAS deployers use it? How? Thanks. Best regards, Jérôme -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS will not restart if firewall drops
Folks, We are at 3.4.2.1. If the database holding the service registry is offline and then reconnected, CAS will automatically renew the connection and allow service as expected. However, CAS will not automatically restart if our firewalls are down long enough for a time out between the connections upon which it depends .. AD and the back end database. I have noticed it before when an AD server failed on the test system where the connections are not robust, but this is the first time we have systemic failures that blocked all connections. This is the failure in the localhost.-mm-dd-log file: SEVERE: Servlet.service() for servlet cas threw exception org.springframework.webflow.conversation.impl.LockTimeoutException: Unable to acquire conversation lock after 30 seconds Tomcat is not down and by all appearances, the CAS server is still running. What should I be looking at in our configuration that will allow CAS to re-establish all necessary connections automatically after interruption? Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Change between 3.4.2.1 and 3.5.2.1 not rolling to second authentication scheme
Hello We have an unusual situation. When we first used CAS, we thought we would restrict it to Ellucian Banner and use Shibboleth for all other authentications. However, as Banner keeps expanding, other product owners have opted for CAS over Shibboleth because an SP is not required. Banner Products perform their own authorization once a user is authenticated. So, one of our Banner products (Self-service Banner) wants to allow expired users access. This is how they re-register and since UA campuses differ on when they expire accounts in AD, we can students not be able to log in to register after two weeks from semester end in some cases. We developed a second authenticator proxy that by-passes AD if authentication fails the first time. 3.4.2.1 handled this well. 3.5.2.1 throws the error for the expired user rather than rolling to the second authentication. We are accepting that some products (i.e., SSB) will allow expired users, while most will simply not allow them at all. If anyone has developed a template configuration that can funnel authentication based on target URL, I would be interested in seeing. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
See inline comments ...
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/
On Mon, Feb 2, 2015 at 4:54 PM, Waldbieser, Carl waldb...@lafayette.edu
wrote:
Linda,
In your CAS logs, prior to a successful BIND while using CAS 3.4.2.1, is
there any indication CAS tried to BIND to the primary directory? I am
guessing in the failed attempt to BIND to the primary using CAS there were
no further log entries suggesting CAS might have tried to BIND to the
secondary directory?
YES, noted in RED below
Also, I am not sure how much logging information you can get out of your
directories, but can you confirm from the LDAP side of things what
directories are being consulted by each version of CAS? I.e., can you fill
in the following table based on LDAP logs, using an account that is
*supposed* to fail over to the secondary:
I control which LDAP server is being used by properties in the
cas.properties file. I have not changed servers for either the primary or
secondary between CAS versions.
CAS VERSION Attempt BIND Primary? Attempt BIND Secondary?
=== = ===
3.4.2.1
3.5.2.1
The deployerConfig.xml is what I would expect-- the authentication
handlers look like they should be tried one after another until one
succeeds or they all fail.
What is not clear without seeing more logs (either CAS or LDAP) is whether
CAS fails in the newer version because it is not attempting to BIND to the
secondary, or whether it attempts to BIND to the secondary and fails.
See LOG in blue below. It does not indicate it is trying to resolve a
principal and can not so it moves on to constructing a SimplePrincipal.
Thanks,
Carl
- Original Message -
From: Linda Toth ltt...@alaska.edu
To: cas-user@lists.jasig.org
Sent: Monday, February 2, 2015 7:22:44 PM
Subject: Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Carl
I was able to roll out 3.5.2.1 a little earlier than I expected and you
asked if I had evidence in the logs of successful roll over to secondary
primary, etc. ... Here is the log for an unexpired user in 3.4.2.1,
followed by the log in 3.5.2.1. Users that are authenticated through the
primary LDAP show the successful filter of:
Successful filter via primary LDAP
2015-02-02 11:42:05,885 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- LDAP search with filter (|(sAMAccountName=rred)((uaIdentifier=rred
)(employeeNumber=*)))
Successful filter via secondary LDAP on 3.4.2.1
2015-02-02 14:59:28,720 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing
LDAP bind with credential:
CN=eofelt,OU=userAccounts,DC=ua,DC=adt,DC=alaska,DC=edu
2015-02-02 14:59:29,307 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing
LDAP bind with credential:
CN=eofelt,OU=userAccounts,DC=ua,DC=adt,DC=alaska,DC=edu
2015-02-02 14:59:29,582 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- Attempting to resolve a principal...
2015-02-02 14:59:29,582 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- Attempting to resolve a principal...
2015-02-02 14:59:29,582 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- Creating SimplePrincipal for [eofelt]
2015-02-02 14:59:29,582 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- Resolved eofelt. Trying LDAP resolve now...
2015-02-02 14:59:29,582 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- LDAP search with filter
(|((employeeNumber=*)(uaIdentifier=eofelt))(cn=eofelt))
2015-02-02 14:59:29,582 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- returning searchcontrols: scope=2; search
base=dc=ua,dc=adt,dc=alaska,dc=edu; attributes=[cn]; timeout=1000
2015-02-02 14:59:29,920 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- Resolved eofelt to eofelt
2015-02-02 14:59:29,920 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- Creating SimplePrincipal for [eofelt]
2015-02-02 14:59:29,920 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
Created seed map='{username=[eofelt]}' for uid='eofelt'
2015-02-02 14:59:29,920 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding
attribute 'sAMAccountName' with value '[eofelt]' to query builder 'null'
2015-02-02 14:59:29,920 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
Generated query
Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Carl, Yesterday I had a clear distinction between the 3.4.2.1 successful login and the 3.5.2.1 failure. I did not it make the attempt for 3.4.2.1 and did not see it in 3.5.2.1. It simply came back with the expired notice. I am in the process of rebuilding TEST to 3.4.2.1 (including tables for registry). I won't be able to diagnose more of these issues on DEV until that is complete - at which time I can provide better details. Thanks for taking time to respond. I greatly appreciate it. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Feb 2, 2015 at 9:33 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Linda, Is there any indication (e.g. from proxy logs) that the accounts that are failing over are actually making requests against the proxy? In other words, do you have any indication whether the issue is that the fail over requests are never being made or that the requests are being made but failing to authenticate? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Linda Toth ltt...@alaska.edu To: cas-user@lists.jasig.org Sent: Monday, February 2, 2015 1:04:40 PM Subject: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml Good morning, FYI - I am aware I need to promote to 3.5.3, but first things first. I forwarded this question to our support organizations for CAS and they have not come up with any explanation yet. I am hoping someone here has some insight. I have not changed the deployerConfigContext.xml file from 3.4.2.1 to 3.5.2.1. I looked over the distribution, but opted to try it as is. Our deployerConfigContext.xml file contains a component that allows expired and new users to fall through to an active directory proxy when they fail to be authenticated via straight AD LDAP. Our policies at UA expire students very quickly on some campuses so that they can not use the PC work stations. This causes issues when they come back to register for the next semester. In 3.4.2.1, I developed a nice configuration that will allow authentication through one or the other. 3.5.2.1, it only authenticates users that are not expired, i.e., it is not failing over. I have extracted the pertinent sections and placed them in a file, attached. It is a simple text file. One thing I did not do that may cause problems is that I did not denote a separate attributeRepository bean. They are identical for both straight AD and the proxy. Perhaps I should replicate them with a different name. If anyone can pinpoint a modification I should make to accommodate 3.5.2.1 quickly, I would greatly appreciate it. I very much want to move toward two-factor authentication and Casifying Shib, but need 3.5.2.1 to do that. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
error [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 701, v1db1^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 701, v1db1^@] 2015-02-02 14:48:51,542 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed authenticating [username: eofelt] 2015-02-02 14:48:51,547 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - An authentication error has occurred. Returning the event id error Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Feb 2, 2015 at 1:46 PM, Linda Toth ltt...@alaska.edu wrote: Carl, Yesterday I had a clear distinction between the 3.4.2.1 successful login and the 3.5.2.1 failure. I did not it make the attempt for 3.4.2.1 and did not see it in 3.5.2.1. It simply came back with the expired notice. I am in the process of rebuilding TEST to 3.4.2.1 (including tables for registry). I won't be able to diagnose more of these issues on DEV until that is complete - at which time I can provide better details. Thanks for taking time to respond. I greatly appreciate it. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Feb 2, 2015 at 9:33 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Linda, Is there any indication (e.g. from proxy logs) that the accounts that are failing over are actually making requests against the proxy? In other words, do you have any indication whether the issue is that the fail over requests are never being made or that the requests are being made but failing to authenticate? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Linda Toth ltt...@alaska.edu To: cas-user@lists.jasig.org Sent: Monday, February 2, 2015 1:04:40 PM Subject: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml Good morning, FYI - I am aware I need to promote to 3.5.3, but first things first. I forwarded this question to our support organizations for CAS and they have not come up with any explanation yet. I am hoping someone here has some insight. I have not changed the deployerConfigContext.xml file from 3.4.2.1 to 3.5.2.1. I looked over the distribution, but opted to try it as is. Our deployerConfigContext.xml file contains a component that allows expired and new users to fall through to an active directory proxy when they fail to be authenticated via straight AD LDAP. Our policies at UA expire students very quickly on some campuses so that they can not use the PC work stations. This causes issues when they come back to register for the next semester. In 3.4.2.1, I developed a nice configuration that will allow authentication through one or the other. 3.5.2.1, it only authenticates users that are not expired, i.e., it is not failing over. I have extracted the pertinent sections and placed them in a file, attached. It is a simple text file. One thing I did not do that may cause problems is that I did not denote a separate attributeRepository bean. They are identical for both straight AD and the proxy. Perhaps I should replicate them with a different name. If anyone can pinpoint a modification I should make to accommodate 3.5.2.1 quickly, I would greatly appreciate it. I very much want to move toward two-factor authentication and Casifying Shib, but need 3.5.2.1 to do that. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Good morning, FYI - I am aware I need to promote to 3.5.3, but first things first. I forwarded this question to our support organizations for CAS and they have not come up with any explanation yet. I am hoping someone here has some insight. I have not changed the deployerConfigContext.xml file from 3.4.2.1 to 3.5.2.1. I looked over the distribution, but opted to try it as is. Our deployerConfigContext.xml file contains a component that allows expired and new users to fall through to an active directory proxy when they fail to be authenticated via straight AD LDAP. Our policies at UA expire students very quickly on some campuses so that they can not use the PC work stations. This causes issues when they come back to register for the next semester. In 3.4.2.1, I developed a nice configuration that will allow authentication through one or the other. 3.5.2.1, it only authenticates users that are not expired, i.e., it is not failing over. I have extracted the pertinent sections and placed them in a file, attached. It is a simple text file. One thing I did not do that may cause problems is that I did not denote a separate attributeRepository bean. They are identical for both straight AD and the proxy. Perhaps I should replicate them with a different name. If anyone can pinpoint a modification I should make to accommodate 3.5.2.1 quickly, I would greatly appreciate it. I very much want to move toward two-factor authentication and Casifying Shib, but need 3.5.2.1 to do that. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user dcc-extract Description: Binary data
[cas-user] Oracle Service Management alter
Good morning Has anyone already implemented an Oracle ALTER table to modify the service registry tables from 3.4.x to 3.5.*? I can construct it, but would rather borrow it to save time if someone already has a working SQL statement. Thanks Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] 3.5.2.1 - service registry username column
Hello again, Nevermind, I found it. I should have gone to github first. sorry Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Jan 9, 2015 at 4:59 PM, Linda Toth ltt...@alaska.edu wrote: I have successfully upgraded from 3.4.2.1 to 3.5.2.1. Per another thread, the hardest part for me was not related to CAS upgrades or the right CAS/Spring jar versions, but recognizing the '14' in ojdbc14.jar was referring to Java 4! Once I upgraded to ojdbc6.jar, it has gone quickly. When I logged into the service registry, I noticed a new field, username - all marked with a bold red 'X'. Would someone direct me to documentation if it exists outside of the deployerConfigContext.xml file. In that file, there is no property name that contains a reference to username. It looks like I should add a column to the service registry table. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] 3.5.2.1 - service registry username column
I have successfully upgraded from 3.4.2.1 to 3.5.2.1. Per another thread, the hardest part for me was not related to CAS upgrades or the right CAS/Spring jar versions, but recognizing the '14' in ojdbc14.jar was referring to Java 4! Once I upgraded to ojdbc6.jar, it has gone quickly. When I logged into the service registry, I noticed a new field, username - all marked with a bold red 'X'. Would someone direct me to documentation if it exists outside of the deployerConfigContext.xml file. In that file, there is no property name that contains a reference to username. It looks like I should add a column to the service registry table. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Issues with ServiceRegistryDaoImpl in 3.5.2.1
I have reviewed the ServiceRegistryDaoImpl for 3.5.2.1. It seems to be failing at the initDao method inherited from org.springframework.dao.support.DaoSupport. If there is any configuration change to the definitions for the org.jasig.cas.services.JapServiceRegistryDaoImpl class and its nested classes from 3.4.2.1 to 3.5.2.1, please tell me what they are. I do see substantial changes noted in the documentation for 4.00 +, but have not found any indication I need to change between the two versions noted above. I searched through every class referenced in the bean definition for serviceRegistryDao. They are all contained in spring-tx-3.1.1.RELEASE.jar, spring-orm-3.1.1.RELEASE.jar or commons-dbcp.jar. I may need to upgrade my version of commons-dbcp.jar. Which version is used for 3.5.2.1? Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 17, 2014 at 11:17 AM, Linda Toth ltt...@alaska.edu wrote: Good afternoon, As much as I hate to admit it, I am humbled by the transition from 3.4.2.1 to 3.5.2.1. I have used the maven overly 4.0.0 and although I see some later versions of libraries come in that what is recommended on the maven repository page for dependencies, I have been able to verify I have the correct version. Nevertheless, despite checking all versions and all dependencies, I continue to get an error when it tries to resolve the entityManagerFactory. From what I can find via web searches, I may be caught in the middle of some version conflicts for dependencies, but can not find which versions of some jars to use with certainty. Maven has downloaded multiple version of the same jar in some cases. The pertinent excerpt of the error is: 2014-12-16 14:18:06,512 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'servicesManager' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'serviceRegistryDao' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'serviceRegistryDao' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'entityManagerFactory' while setting bean property 'entityManagerFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106) at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:616) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148) There is no DB connection error being thrown in the localhost.2014-12-xx.log file. I have everything I have been able to find online about this error and this situation in CAS and so far, none of the suggested solutions has resolved the error. *I have not found an example of JpaServiceRegistryDaoImpl configuratio for 3.5.2.1. * I am left to assume that the error is not in the configuration itself, but in the dependencies. Nevertheless, here is what I have for the serviceRegistryDao configurations: !-- | Permanent data store for the Service Registry with | JPA-backedServiceRegistry | DAO. The name of this bean remains serviceRegistryDao. +-- bean id=serviceRegistryDao class=org.jasig.cas.services.JpaServiceRegistryDaoImpl p:entityManagerFactory-ref=entityManagerFactory / bean id=entityManagerFactory class= org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean property name=dataSource ref=dataSource/ property name=jpaVendorAdapter bean class= org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter property name=generateDdl value=true/ property name=showSql value=true/ /bean /property property name=jpaProperties props prop key=hibernate.dialect org.hibernate.dialect.OracleDialect/prop prop key=hibernate.hbm2ddl.autoupdate/prop /props /property /bean bean id
Re:[cas-user] Issues with ServiceRegistryDaoImpl in 3.5.2.1
PS I have removed duplicate jars that were downloaded by maven, usually sticking with the latest unless the cas-server-* maven dependency lists something else: KEPT: commons-collections-3.2.1.jar - REMOVED: commons-collections-3.2.jar KEPT: javassist-3.12.GA.jar - REMOVED: javassist-3.15.ga.jar and javassist-3.7-GA.jar KEPT: stax-api-1.0-2.jar - REMOVED: stax-api-1.0-1.jar Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 17, 2014 at 1:07 PM, Linda Toth ltt...@alaska.edu wrote: I have reviewed the ServiceRegistryDaoImpl for 3.5.2.1. It seems to be failing at the initDao method inherited from org.springframework.dao.support.DaoSupport. If there is any configuration change to the definitions for the org.jasig.cas.services.JapServiceRegistryDaoImpl class and its nested classes from 3.4.2.1 to 3.5.2.1, please tell me what they are. I do see substantial changes noted in the documentation for 4.00 +, but have not found any indication I need to change between the two versions noted above. I searched through every class referenced in the bean definition for serviceRegistryDao. They are all contained in spring-tx-3.1.1.RELEASE.jar, spring-orm-3.1.1.RELEASE.jar or commons-dbcp.jar. I may need to upgrade my version of commons-dbcp.jar. Which version is used for 3.5.2.1? Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 17, 2014 at 11:17 AM, Linda Toth ltt...@alaska.edu wrote: Good afternoon, As much as I hate to admit it, I am humbled by the transition from 3.4.2.1 to 3.5.2.1. I have used the maven overly 4.0.0 and although I see some later versions of libraries come in that what is recommended on the maven repository page for dependencies, I have been able to verify I have the correct version. Nevertheless, despite checking all versions and all dependencies, I continue to get an error when it tries to resolve the entityManagerFactory. From what I can find via web searches, I may be caught in the middle of some version conflicts for dependencies, but can not find which versions of some jars to use with certainty. Maven has downloaded multiple version of the same jar in some cases. The pertinent excerpt of the error is: 2014-12-16 14:18:06,512 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'servicesManager' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'serviceRegistryDao' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'serviceRegistryDao' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'entityManagerFactory' while setting bean property 'entityManagerFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106) at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:616) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148) There is no DB connection error being thrown in the localhost.2014-12-xx.log file. I have everything I have been able to find online about this error and this situation in CAS and so far, none of the suggested solutions has resolved the error. *I have not found an example of JpaServiceRegistryDaoImpl configuratio for 3.5.2.1. * I am left to assume that the error is not in the configuration itself, but in the dependencies. Nevertheless, here is what I have for the serviceRegistryDao configurations: !-- | Permanent data store for the Service Registry with | JPA-backedServiceRegistry | DAO. The name of this bean remains serviceRegistryDao. +-- bean id=serviceRegistryDao class=org.jasig.cas.services.JpaServiceRegistryDaoImpl p:entityManagerFactory-ref=entityManagerFactory / bean
Re:[cas-user] Issues with ServiceRegistryDaoImpl in 3.5.2.1
After thinking about it for what seemed like forever, it occurred to me that 3.5.2.1 uses a later version of Java and I needed to upgrade to ojdbc6.jar. So, it attempted to start the Quartz Scheduler (YEAH!!), but got another error. But you know, I don't care. I can deal with it. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 17, 2014 at 1:34 PM, Linda Toth ltt...@alaska.edu wrote: PS I have removed duplicate jars that were downloaded by maven, usually sticking with the latest unless the cas-server-* maven dependency lists something else: KEPT: commons-collections-3.2.1.jar - REMOVED: commons-collections-3.2.jar KEPT: javassist-3.12.GA.jar - REMOVED: javassist-3.15.ga.jar and javassist-3.7-GA.jar KEPT: stax-api-1.0-2.jar - REMOVED: stax-api-1.0-1.jar Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 17, 2014 at 1:07 PM, Linda Toth ltt...@alaska.edu wrote: I have reviewed the ServiceRegistryDaoImpl for 3.5.2.1. It seems to be failing at the initDao method inherited from org.springframework.dao.support.DaoSupport. If there is any configuration change to the definitions for the org.jasig.cas.services.JapServiceRegistryDaoImpl class and its nested classes from 3.4.2.1 to 3.5.2.1, please tell me what they are. I do see substantial changes noted in the documentation for 4.00 +, but have not found any indication I need to change between the two versions noted above. I searched through every class referenced in the bean definition for serviceRegistryDao. They are all contained in spring-tx-3.1.1.RELEASE.jar, spring-orm-3.1.1.RELEASE.jar or commons-dbcp.jar. I may need to upgrade my version of commons-dbcp.jar. Which version is used for 3.5.2.1? Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 17, 2014 at 11:17 AM, Linda Toth ltt...@alaska.edu wrote: Good afternoon, As much as I hate to admit it, I am humbled by the transition from 3.4.2.1 to 3.5.2.1. I have used the maven overly 4.0.0 and although I see some later versions of libraries come in that what is recommended on the maven repository page for dependencies, I have been able to verify I have the correct version. Nevertheless, despite checking all versions and all dependencies, I continue to get an error when it tries to resolve the entityManagerFactory. From what I can find via web searches, I may be caught in the middle of some version conflicts for dependencies, but can not find which versions of some jars to use with certainty. Maven has downloaded multiple version of the same jar in some cases. The pertinent excerpt of the error is: 2014-12-16 14:18:06,512 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'servicesManager' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'serviceRegistryDao' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'serviceRegistryDao' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'entityManagerFactory' while setting bean property 'entityManagerFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106) at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:616) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148) There is no DB connection error being thrown in the localhost.2014-12-xx.log file. I have everything I have been able to find online about this error and this situation in CAS and so far, none of the suggested solutions has resolved
[cas-user] Inclusion of auditTrailManager.xml
Good Afternoon from the cold, dark north as we near winter solstice. Our version of CAS is stable enough, i.e., no major requests from our user base, that I fianlly have time to upgrade to CAS 3.5.2.1. the auditTrailManager.xml file was unused in 3.4.2.1, but included in 3.5.2.1. How much overhead does adding the audit trail logging add? Where is this documented so I can control how much it spews? If I don't want to use it, any harm in tossing it back into unused-spring-configuration/? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Notifying users when the login form times out
Hello I wrote a script that explicitly defines when the form will time out and put a countdown on the form itself. I can provide that to anyone that is using releases prior to 4.0 Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 10, 2014 at 3:50 AM, David A. Kovacic d...@case.edu wrote: Yes, I agree. That patch works fine. :-) We managed to grab 4.0.0 before that patch became part of the standard distribution. Dave On 12/9/14 10:10 AM, Misagh Moayyed wrote: https://github.com/Unicon/cas/commit/fc05c138580346483f85f25786f5b84083e806da It would be better if you could in fact use this patch: https://github.com/Jasig/cas/pull/345 -Original Message- From: David A. Kovacic [mailto:d...@case.edu] Sent: Tuesday, December 9, 2014 6:49 AM To: cas-user@lists.jasig.org Subject: [cas-user] Notifying users when the login form times out We apparently have several users who park themselves on the login page for more than 5 minutes and then try to enter their credentials. Since the page has timed out, the server just clears the entries and redisplays the form. This continues to happen until the user refreshes or revisits the page. It's confusing the heck out of those users since our previous RubyCAS server would display an error message on the form like Your session has timed out - refresh this page to start a new session and log in. Is there a way that we can display a similar message on JASig CAS? I would think you could use a webflow to display an error message for a few seconds and then redirect the user to a fresh copy of the form, but being a JASig CAS newbie I have no idea how I would trigger it. If anyone has done something similar or has some pointers on how to accomplish this I would appreciate some pointers. Dave -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] json services registry for cas
I am still following this thread, and also am interested in what CAS developers have to say on the subject, especially since I was directed to JSON as a solution. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Nov 21, 2014 at 11:07 AM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: Just an FYI - I just released the 1.0.0-GA version and put the documentation out there: https://github.com/unicon-cas-addons/cas-addon-yaml-services-registry/blob/master/README.md Have a great weekend. Dmitriy. On Nov 20, 2014, at 7:01 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: Glad that worked for you. It doesn't reload periodically, but on demand when the config file is changed. Look at the beans config that I referenced earlier. The entire config for this machinery is there. Cheers, D. Sent from my iPhone On Nov 20, 2014, at 18:51, Milt Epstein mepst...@illinois.edu wrote: Thanks, that did the trick -- I was able install and use the cas-addon-yaml-service-registry package via a dependency in my pom.xml file. The main problem was that I had used 1.0.0-M1 as the version (that was previously on the package's web page, but looks like you updated it to 1.0.0-RC1). And looks like it's automatically set up to reload periodically. Is that controlled by these parameters in cas.properties: # Service Registry Periodic Reloading Scheduler # service.registry.quartz.reloader.startDelay=12 # Reload services every 2 minutes # service.registry.quartz.reloader.repeatInterval=12 (I didn't uncomment these, so it must be using default values.) And for the core CAS devs, can you address these questions?: Other questions: I assume the CAS-integrated JSON service registry is not available for version 4.0, just 4.1? And when is 4.1 due for release? Is there a candidate ready to be tried now? How close to being ready to go is it? This is the question for core CAS devs ;-) Thanks. Milt Epstein Applications Developer Graduate School of Library and Information Science (GSLIS) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Thu, 20 Nov 2014, Dmitriy Kopylenko wrote: On Nov 20, 2014, at 1:20 PM, Milt Epstein mepst...@illinois.edu wrote: [ ... ] But more importantly, it's still not clear how to use/integrate the cas-addon-yaml-service-registry package. Can I put a dependency for it in my pom.xml? I tried something for that, and it didn't work. Can I download it and put it into my maven overlay? I tried downloading the master zip, and tried to build that (using gradlew?), separately, but it failed. Here’s an example of how to use it (version 1.0.0-RC1 is available in Maven central since yesterday): https://github.com/UniconLabs/simple-cas4-overlay-template/blob/micro-addons/pom.xml#L62 https://github.com/UniconLabs/simple-cas4-overlay-template/blob/micro-addons/pom.xml#L62 https://github.com/UniconLabs/simple-cas4-overlay-template/blob/micro-addons/src/main/webapp/WEB-INF/spring-configuration/servicesRegistry.xml https://github.com/UniconLabs/simple-cas4-overlay-template/blob/micro-addons/src/main/webapp/WEB-INF/spring-configuration/servicesRegistry.xml Note that this config element cas-external:yaml-services-registry/ assumes the default location to be: /etc/cas/servicesRegistry.yml Just put the file there and you should be good to go. Other questions: I assume the CAS-integrated JSON service registry is not available for version 4.0, just 4.1? And when is 4.1 due for release? Is there a candidate ready to be tried now? How close to being ready to go is it? This is the question for core CAS devs ;-) -- You are currently subscribed to cas-user@lists.jasig.org as: mepst...@illinois.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] json services registry for cas
Dmitriy, I am assuming the YAML version as well as the CAS 4.1 JSON implementation do not support clustered environments either, correct? I would still need to make use of your earlier suggestion in order to get away from using a database with data guard to ensure synchronization. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Thu, Nov 20, 2014 at 6:44 AM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: Hi Milt. Sorry for the confusion (I’m responsible for this confusion). I’ll fix the README. So here’s a summary of things as far as add ons go: Current monolithic cas-addons library has served us well for the 3.5.1+ line of CAS (and continues to do so). But it has grown quite a bit since its inception and became kind of like a “kitchen sink” or a Swiss army knife” if you will, of the useful addon bits stuffed into a single jar which brings with it some extra dependencies even if one doesn’t use some parts of the functionality, etc. So we have thought to create a next generation of “micro addons” as separate projects with small, cohesive set of functionalities and dependencies, so folks could choose the appropriate one to use without bringing the ”extra baggage” with them - and that’s exclusively for 4.0+ line. While Monolithic cas-addons is alive and still supported for CAS 3.5.1+, we are not investing our time into the new development of it and shifting our focus to develop and maintain new micro add ons for CAS4 where it makes sense - as CAS4 is gaining momentum here. Now, as far as JSON service registry - since CAS 4.1 is bringing its own JSON service registry into the core, I’ve decided to drop it completely as it would be a meaningless exercise to have an extra one out there. On the other hand, one of the most useful properties of the JSON addon registry is the support for extra metadata Map attached to an extension type namely “RegisteredServicesWithAttributes which allowed us to build all kinds of useful extension features with it over the years. And also a lightweight nature of JSON svc registry implementation and dynamic runtime reloading feature. Thus for the replacement of it, I have recently implemented a YAML services registry to exhibit same behaviors as current JSON registry addon, as well as added benefit of more human readable format that is YAML (IMHO) than JSON, giving it more of a DSL-like look and feel. The current implementation is very fresh (few days old), but I’ve done good amount of local testing and it works like a charm. The plan is for it to be supported on CAS 4.0+ and be a main alternative to the native CAS4 JSON svc registry (I will change that confusing README message), as well as add wiki documentation and release 1.0 GA some time next week. In the mean time, here’s how the services definition file looks like: https://github.com/unicon-cas-addons/cas-addon-yaml-services-registry/blob/master/src/test/resources/net/unicon/cas/addon/serviceregistry/yaml/servicesRegistry.yml Hope this helps clearing things up a bit. Best, Dmitriy. On Nov 20, 2014, at 10:18 AM, Milt Epstein mepst...@illinois.edu wrote: OK, I'm getting a little confused, so I thought I'd ask here for pointers. I'm trying to get a CAS verson 4.0 setup going, and I was thinking of using the JSON services registry. We're using it with our current version (3.4.12), and we're happy with how it's working. I had to install a little bit of extra java and groovy code, but otherwise it was quite simple to install and configure, quite easy to use, and sufficient for our needs. From things I had seen on the list since I did that installation, I had gotten the impression that it had gotten even easier to install and configure, more well integrated with CAS, put into its own complete package (e.g, part of the Unicon cas-addons packages), and more functional. So it seemed like a no-brainer to use it again. And I thought it'd be very easy to find and install. But that doesn't seem to be the way things are going. For instance, when I go to this page: https://github.com/Unicon/cas-addons/ There's a NOTICE that states: ... 1.x series of cas-addons is not supported on CAS 4.x. For CAS 4.x support look for the upcoming series of micro addons libraries grouped by distinct features in upcoming months. So I follow the link for the micro addons: https://github.com/unicon-cas-addons There's no json services registry package there. But there is one for yaml, so I have a look at that: https://github.com/unicon-cas-addons/cas-addon-yaml-services-registry This one states: This library replaces cas-addons 1.x JSON ServiceRegistry and serves as an alternative to the new JSON Service Registry in CAS core version 4.1. CAS core version 4.1
Re: [cas-user] JSON implementation of ticket/service registry w/ UNICON plug in
Thanks folks Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, Nov 18, 2014 at 2:08 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: Well, the hook is there (Spring Application Event representing the JSON file resource change if it's property configured in the app ctx): https://github.com/Unicon/cas-addons/blob/master/src/main/java/net/unicon/cas/addons/support/ResourceChangeDetectingEventNotifier.java#L39 So, I'd imagine it'd be possible to implement a listener for this event to kick off some external sync. process, etc. This is how the dynamic runtime reloading of services is implemented. Cheers, Dmitriy. Sent from my iPhone On Nov 18, 2014, at 17:50, Chris Peck crp...@email.wm.edu wrote: It does not. You would have to sync it some other way. It would be handy if there was a hook to kick off an external program when it writes out changes. Since there are a few of us doing this and changes are rare we do it manually. -sent from my mobile On Nov 18, 2014 2:54 PM, Linda Toth ltt...@alaska.edu wrote: Hello Does the JSON plug-in from UNICON provide the same level of synchronization across multiple servers that using a DB would? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: crp...@email.wm.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] JSON implementation of ticket/service registry w/ UNICON plug in
Hello Does the JSON plug-in from UNICON provide the same level of synchronization across multiple servers that using a DB would? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] DUO Security with Shib integration
Michael, Thanks for sending this link. It did not pop when I searched. I thought MFA had been mentioned at the Apereo conference this summer, but it was in passing. Let me read this documentation. I am definitely interested. Thank you so much. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Thu, Sep 18, 2014 at 8:02 PM, Michael A Grady mgr...@unicon.net wrote: Linda, have you looked at the CAS-MFA work which you can find here: https://github.com/Unicon/cas-mfa That has been funded work (by the MFA Cohortium) to expand on previous CAS/MFA work (for Evergreen State), and provide functionality for CAS similar to what the Multi-Context Broker (MCB) does for the Shibboleth IdP. (Of course, you have that at Alaska.) I.e. try to significantly lower the threshold of work it takes to integrate a particular MFA technology into CAS, and provide flexible ways to trigger it (by service, by individual, etc.) That work, and its documentation, is currently being vetted by the University of Utah. But additional vetters ;-) would be most welcome. It includes a connector for Duo, and a connector for Toopher has been discussed. It would be a different conversation to consider having the CAS Server defer authentication to the Shib IdP, where the IdP has the MCB. Certainly one could look into the install a Shib SP and use the TrustedAuth login handler' approach that was discussed in an email thread that contained the following: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1304L=IDMD=0P=14972 If you got the Shib SP to send the needed authentication context in the authn request, you could force it for a given service. But it wouldn't work as well if you wanted to require MFA by individual, because you'd already need username/password to happen before you could look up whether this person was required to do MFA. Then they'd have to redo it for the IdP. (Unless you get circular and have the IdP then defer to CAS for username/password, but trying to think thru whether that could work smoothly would make my head hurt. Would clearly need to delineate between services at the CAS Server so that when sent there from the IdP, you didn't try and start the MFA loop over again.) On Sep 17, 2014, at 8:08 PM, Linda Toth ltt...@alaska.edu wrote: Hi I searched the list archvies, but it yielded only one pertinent posting. Has anyone integrated CAS to Shib when Shib has been integrated to Duo Security? What experience do folks have with Duo Security or and type of multi-factor product with CAS - even if not integrated to Shib? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: mgr...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Michael A. Grady Senior IAM Consultant, Unicon, Inc. -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] DUO Security with Shib integration
Hi I searched the list archvies, but it yielded only one pertinent posting. Has anyone integrated CAS to Shib when Shib has been integrated to Duo Security? What experience do folks have with Duo Security or and type of multi-factor product with CAS - even if not integrated to Shib? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Possible cause of 500 - Internal server error
We normally receive that error when the user is authenticated, but not authorized to use the target application. In the case of Banner, e.g., that application seeks an attribute called the UDC Identifier which is used to establish role permissions for the various Banner applications. Once authenticated, our LDAP returns that attribute. A similar failure would occur any attribute the target application is seeking has not been gathered from the authentication source. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Thu, Sep 11, 2014 at 7:13 AM, Michelle Zhang michelle.zh...@fandm.edu wrote: I'm using ASP.Net and just started to use CAS. On my local machine, after authenticated by the CAS log in page, I'm not re-directed back to my default url but get this 500 - Internal server error message. On the webserver, if I type the website url on browser, I'm not re-directed to the CAS log in page but just get 500 - Internal server error directly. Anyone knows why's that? Michelle michelle.zh...@fandm.edu -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Integration of CAS to Shib already configured for two factor OAuth
Good morning We the help of a consultant, we recently implemented OAuth 2 for Shibboleth. We will be promoting it this weekend. Right now, Shibboleth and CAS are not integrated, but our users are showing confusion in which application is handling their authentication requests. My intention is to integrate them using the UNICON solution with CAS as the authenticator for both CAS and Shib, but each handling their own attribute resolution and filtering. Does anyone have experience with the way in which two factor capability in shibboleth affects CAS as the primary authenticator? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Banner/CAS users - need some feedback
Hello I'd appreciate it if any CAS implementers for Banner SSO out there would contact me directly regarding their handling of logout. We need some statistics and comparisons for our computer base. Feel free to use the contact information below rather than posting to the list. - How is your institution handling the lingering session browsers that could reveal Banner FERPA related data? - What is your FERPA policy re: university obligations in the matter? - Have you found any particular configuration steps on the Banner side that augment your policy? - Anything else you'd like to share Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] multiple auth sources?
If you haven't seen it, this site gives examples: http://jasig.275507.n4.nabble.com/CAS-Multiple-BindLdapAuthenticationHandler-td2133071.html Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Sun, May 11, 2014 at 8:48 AM, Richard Frovarp richard.frov...@ndsu.edu wrote: We had that situation. How you handle it is going to depend on your situation. My best advice is to avoid the situation at all costs. If the two authentication sources are mutually exclusive, and there is absolutely not potential for username overlap (at least when it is a different person), then you can configure one CAS server for both auth sources. If there is any chance that the same username might be in both (or more) systems but represent a different person, I would have a separate CAS server for each one. The follow on challenge is that each application would need to have as many login links as there are CAS auth sources for that application. At this point in time we have three CAS servers running, going against three different authentication sources. Now each one serves vastly different user populations, and the login pages are branded appropriately. None of the systems guarantee that if the username is the same, the user is the same. Two will for a certain username format (both are driven from the same IAM), but local accounts might not line up. On Sun, May 11, 2014 at 7:16 AM, wallace wallace.neik...@wright.edu wrote: Does any other university have this situation -- multiple auth sources? How do you handle it ... *1 cas server config'd for both auth sources? *2 separate cas servers each config'd for its auth source? Help greatly appreciated. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: richard.frov...@ndsu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] JDBC issues with CAS
Hello Hopefully someone who uses MS JDBC drivers can respond too. You said you loaded the appropriate jars and by that I assume you have the commons-dbcp.jar in the WEB-INF/lib? I usually receive this error under two conditions: I don't actually have the jar needed in the library or I have not formed the xml correctly .. it meets tomcat's once through, so no errors are thrown in catalina.out, but the nesting is off - something like that. I can't tell without seeing the entire file, but I would be happy to look at it if you haven't sorted it out yet. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Thu, Jun 5, 2014 at 9:08 AM, Troy McComas tmcco...@sbts.edu wrote: Using Ubuntu with MS SQL Server (Microsoft's JDBC drivers) Deployed the packaged WAR (uber-webapp) to Tomcat. Included the appropriate JARs in the webapp/WEB-INF/lib directory. Added the following to the deploy xml file: bean id=SearchModeSearchDatabaseAuthenticationHandler class=org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler abstract=false singleton=true lazy-init=default autowire=default dependency-check=default property name=tableUsers valueUsers/value /property property name=fieldUser valueuser_name/value /property property name=fieldPassword valuepassword/value /property property name=dataSource ref=dataSource / /bean bean id=dataSource class=org.apache.commons.dbcp.BasicDataSource property name=driverClassName valuecom.microsoft.sqlserver.jdbc.SQLServerDriver/value /property property name=url valuejdbc:sqlserver://icsdata:3291;databaseName=TmsEprd/value /property property name=username value(OUR USER)r/value /property property name=password value(OUR PASS)/value /property /bean -- I keep receiving the following error, even after dropping the commons in the lib folder under the Tomcat webapp's directory: The Spring ContextLoaderListener we wrap threw on contextInitialized. But for our having caught this error, the web application context would not have initialized. org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'centralAuthenticationService' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot create inner bean 'SearchModeSearchDatabaseAuthenticationHandler' of type [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] while setting bean property 'authenticationHandlers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'SearchModeSearchDatabaseAuthenticationHandler' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'dataSource' while setting bean property 'dataSource'; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.apache.commons.dbcp.BasicDataSource] for bean with name 'dataSource' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.apache.commons.dbcp.BasicDataSource at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291
Re: [cas-user] Eliminating cached return to client
Folks, I will try both suggestions. It is definitely worth the effort to change the Java if necessary. I have been avoiding that to reduce the number of code changes I need to investigate in the event of error. We were still in the honeymoon phase, i.e., our product is performing beautifully and as expected from the technical viewpoint. But, just as a marriage settles into the real thing - so must my relationship with CAS. ALAS! Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, May 6, 2014 at 8:48 PM, Michael Wechner michael.wech...@wyona.comwrote: yes I meant HTTP and I am pretty sure it will make a big difference. Maybe before changing your java code you can inject/test it somehow otherwise, e.g. with a reverse proxy ahead or whatever. HTH Michael Am 06.05.14 22:46, schrieb Linda Toth: Hello Michael and Richard I was blithely doing my best to ignore the suggestion that I change the java source. In searching for answers, I did see that solution along with the META tags, but hoped I could resolve it in the HTML header. Still doing my best to keep my head in the sand, I read HTTP as HTML (always the optimist) and convinced myself those were actually javascript invocations instead of java. Oh well Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, May 6, 2014 at 11:25 AM, Richard Frovarp richard.frov...@ndsu.eduwrote: Those are in the HTML header. The ones Michael lists need to be in the HTTP header. That will require changing the source code of your applications, or having HTTPD or whatever your webserver is inject them. On 05/06/2014 02:17 PM, Linda Toth wrote: The META statements I posted are in the header; I thought that would be sufficient, but I am more than willing to give this a try! L Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu??|??www.alaska.edu/oit/ On Tue, May 6, 2014 at 10:58 AM, Michael Wechner michael.wech...@wyona.com wrote: Try setting the no-cache inside the HTTP header: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? response.setHeader(Cache-Control, no-cache, no-store, must-revalidate); // HTTP 1.1. ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? response.setHeader(Pragma, no-cache); // HTTP 1.0. ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? response.setDateHeader(Expires, 0); // Proxies. HTH Michael Am 06.05.14 20:54, schrieb Linda Toth: Hello We clearly posted a notice on our logout page explicitly telling users to close their browser (or drop the tab) after exiting a client application. ??We are not seeing users take advantage of that notice and instead have complaints from the registrar about the caching behavior of browsers. Since the data is private and violates FERPA in addition to leaving careless users vulnerable with regard to personal financial details, we are taking this seriously. We have tried applying the following META tags in both the client app pages and CAS pages to stop the browser caching with absolutely no effect whatsoever. ??Suggestions? meta http-equiv=Cache-control content=no-cache, no-store, must-revalidate/ meta http-equiv=Pragma content=no-cache / meta http-equiv=Expires content=0 / Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: richard.frov...@ndsu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe
[cas-user] Eliminating cached return to client
Hello We clearly posted a notice on our logout page explicitly telling users to close their browser (or drop the tab) after exiting a client application. We are not seeing users take advantage of that notice and instead have complaints from the registrar about the caching behavior of browsers. Since the data is private and violates FERPA in addition to leaving careless users vulnerable with regard to personal financial details, we are taking this seriously. We have tried applying the following META tags in both the client app pages and CAS pages to stop the browser caching with absolutely no effect whatsoever. Suggestions? meta http-equiv=Cache-control content=no-cache, no-store, must-revalidate/ meta http-equiv=Pragma content=no-cache / meta http-equiv=Expires content=0 / Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Eliminating cached return to client
The META statements I posted are in the header; I thought that would be sufficient, but I am more than willing to give this a try! L Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, May 6, 2014 at 10:58 AM, Michael Wechner michael.wech...@wyona.comwrote: Try setting the no-cache inside the HTTP header: response.setHeader(Cache-Control, no-cache, no-store, must-revalidate); // HTTP 1.1. response.setHeader(Pragma, no-cache); // HTTP 1.0. response.setDateHeader(Expires, 0); // Proxies. HTH Michael Am 06.05.14 20:54, schrieb Linda Toth: Hello We clearly posted a notice on our logout page explicitly telling users to close their browser (or drop the tab) after exiting a client application. We are not seeing users take advantage of that notice and instead have complaints from the registrar about the caching behavior of browsers. Since the data is private and violates FERPA in addition to leaving careless users vulnerable with regard to personal financial details, we are taking this seriously. We have tried applying the following META tags in both the client app pages and CAS pages to stop the browser caching with absolutely no effect whatsoever. Suggestions? meta http-equiv=Cache-control content=no-cache, no-store, must-revalidate/ meta http-equiv=Pragma content=no-cache / meta http-equiv=Expires content=0 / Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Eliminating cached return to client
Hello Michael and Richard I was blithely doing my best to ignore the suggestion that I change the java source. In searching for answers, I did see that solution along with the META tags, but hoped I could resolve it in the HTML header. Still doing my best to keep my head in the sand, I read HTTP as HTML (always the optimist) and convinced myself those were actually javascript invocations instead of java. Oh well Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, May 6, 2014 at 11:25 AM, Richard Frovarp richard.frov...@ndsu.eduwrote: Those are in the HTML header. The ones Michael lists need to be in the HTTP header. That will require changing the source code of your applications, or having HTTPD or whatever your webserver is inject them. On 05/06/2014 02:17 PM, Linda Toth wrote: The META statements I posted are in the header; I thought that would be sufficient, but I am more than willing to give this a try! L Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu??|??www.alaska.edu/oit/ On Tue, May 6, 2014 at 10:58 AM, Michael Wechner michael.wech...@wyona.com wrote: Try setting the no-cache inside the HTTP header: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? response.setHeader(Cache-Control, no-cache, no-store, must-revalidate); // HTTP 1.1. ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? response.setHeader(Pragma, no-cache); // HTTP 1.0. ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? response.setDateHeader(Expires, 0); // Proxies. HTH Michael Am 06.05.14 20:54, schrieb Linda Toth: Hello We clearly posted a notice on our logout page explicitly telling users to close their browser (or drop the tab) after exiting a client application. ??We are not seeing users take advantage of that notice and instead have complaints from the registrar about the caching behavior of browsers. Since the data is private and violates FERPA in addition to leaving careless users vulnerable with regard to personal financial details, we are taking this seriously. We have tried applying the following META tags in both the client app pages and CAS pages to stop the browser caching with absolutely no effect whatsoever. ??Suggestions? meta http-equiv=Cache-control content=no-cache, no-store, must-revalidate/ meta http-equiv=Pragma content=no-cache / meta http-equiv=Expires content=0 / Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: richard.frov...@ndsu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Check authentication against several OUs
I have used the template provided by Eric Pierce in this thread for JASIG CAS: http://jasig.275507.n4.nabble.com/CAS-Multiple-BindLdapAuthenticationHandler-td2133071.html Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Apr 9, 2014 at 9:21 AM, John Gasper jgas...@unicon.net wrote: To add onto Idan's response, Or, if you want to exclude ou=Users3,dc=example,dc=org, you'll need to duplicate your authHandlers, etc with different search paths of ou=Users1 and ou=Users2, respectively. -- *John Gasper* IAM Consultant Unicon, Inc. On 4/9/14, 5:17 AM, Idan Fridman wrote: Yes, Modify your searchBase by not mentation any ou's and it will automatically will search within all the tree. (just keep the dc's) -Original Message- From: Andres [mailto:afolg...@gmail.com afolg...@gmail.com] Sent: Wednesday, April 09, 2014 2:32 PM To: cas-user@lists.jasig.org Subject: [cas-user] Check authentication against several OUs Hi, is there a way to check the user's authentication against serveral OUs in LDAP? For example, I want to get a success login if the user exists in ou=Users1,dc=example,dc=org OR exists in ou=Users2,dc=example,dc=org I'm using CAS 4.0 RC4. Thank you! -- You are currently subscribed to cas-user@lists.jasig.org as: idan.frid...@cellebrite.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail. -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Heartbleed Open SSL vulnerability
Hi Does any component of CAS rely on any Open SSL libraries. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Heartbleed Open SSL vulnerability
Thanks - that summarizes my understanding. In our case, that does apply. But I then wondered about native CAS as well. Regards, Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Apr 9, 2014 at 11:04 AM, Carlos Fernandez cfern...@sju.edu wrote: IIUC, it depends on the container. In the case of Tomcat, the APR-based connector uses OpenSSL. Similarly, using Apache in front of Tomcat will bring OpenSSL into the mix as well. Best regards, -- Carlos M. Fernández Sr. Enterprise Systems Admin Saint Joseph's University W: 610-660-1501 M: 215-316-1193 E: cfern...@sju.edu On Apr 9, 2014, at 14:53, Linda Toth ltt...@alaska.edu wrote: Hi Does any component of CAS rely on any Open SSL libraries. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: cfern...@sju.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Heartbleed Open SSL vulnerability
We patched our backend servers yesterday and are in the process of replacing certificates today. We did not have openSSL certs for the front end in any case, but they are being conservative so that anyone who already had exploited the vulnerability would be cut off. Right on about commercial benefits from this event. L Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Apr 9, 2014 at 11:26 AM, Rex Roof r...@wccnet.edu wrote: We have patched our back end OSes against openssl and we're replacing the purchased certificate on the front end of our CAS service. this openssl vulnerability is going to be a windfall for SSL CA signers! - Rex Roof WCC Systems Engineer r...@wccnet.edu 734-973-3478 On Wed, Apr 9, 2014 at 3:12 PM, Linda Toth ltt...@alaska.edu wrote: Thanks - that summarizes my understanding. In our case, that does apply. But I then wondered about native CAS as well. Regards, Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Apr 9, 2014 at 11:04 AM, Carlos Fernandez cfern...@sju.eduwrote: IIUC, it depends on the container. In the case of Tomcat, the APR-based connector uses OpenSSL. Similarly, using Apache in front of Tomcat will bring OpenSSL into the mix as well. Best regards, -- Carlos M. Fernández Sr. Enterprise Systems Admin Saint Joseph's University W: 610-660-1501 M: 215-316-1193 E: cfern...@sju.edu On Apr 9, 2014, at 14:53, Linda Toth ltt...@alaska.edu wrote: Hi Does any component of CAS rely on any Open SSL libraries. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: cfern...@sju.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: r...@wccnet.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] map construct for HttpBasedServiceCredentialsAuthenticationHandler
Folks In all the example I am able to find, either the Spring list collection is used or the constructor-argmap. I have three Authentication Handlers, two authenticating to AD, but the third the standard HTTP Authentication Handler. This class does not need a principal resolver, although I have seen others pass it the BasicPrincipalResolver class. I do not have that class in my version of CAS. My thought, then was to remove the reference to a principal resolver by changing the entry to a entry ref .. construct. This has been suggested in online examples, but does not pass the parsing test during load. How might I construct the following, such that I do not need to pass a value to the HTTPAuthHandler, or alternately, what value could I pass the key-ref/value-ref combination that would be benign. bean id=authenticationManager class= org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager constructor-arg index=0 map entry key-ref=AD-LdapAuthHandler value-ref= ADLdapCredential-to-PrincipalResolver / entry key-ref=UAAuthenticator-LdapAuthHandler value-ref= UAAuthenticatorLdapCredential-to-PrincipalResolver / entry ref=HTTPAuthHandler / /map /constructor-arg /bean Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Plan on Attending Open Apereo 2014 Conference in Miami, FL
Folks So sorry about sending this out. I thought I saw Laura's name come up on the reply instead if the list I apologize profusely. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Mar 12, 2014 at 1:15 PM, Linda Toth ltt...@alaska.edu wrote: Hi Laura In Alaska, we need to book early for these events, but I hesitate to book a flight until registration opens. For example, the flight between Fairbanks and Orlando went up $400 in less than a month. Right now I have a decent fare into Ft. Lauderdale (which precludes my visiting my husband's family in Orlando as part of the trip), but I need to book soon in order to not lose this fare. I think those in the Lower 48, who have multiple carriers and multiple flights have less chance of dramatic increase in fares. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Mar 10, 2014 at 9:25 AM, Laura McCord lmcc...@ucmerced.eduwrote: Mark Your Calendars! The Open Apereo 2014 conferencehttp://conference.apereo.orgis June 1-4 in Miami, Florida. Here are just a few reasons to attend this great event: - Share your great work with the community. - Learn and collaborate with your peers. - Hear about the exciting news and developments of your favorite Apereo projects (Sakai, uPortal, uMobile, CAS, Bedework, and more!). - One word: Miami! Visit one of the world's most popular vacation spots. - NEW! Attend a special Spanish Day preconference event. Of course, there's much more to the Open Apereo conference. Stay tuned for keynote, program, and registration details. We look forward to seeing you in Miami this summer! Open Apereo 2014 Innovate! Incubate! Implement! June 1-4, 2014 - Miami, FL http://conference.apereo.org Sincerely, Ian Dolphin, Executive Director, Apereo Foundation Laura McCord, Open Apereo 2014 Planning Committee Chair Reba-Anna Lee, Open Apereo 2014 Program Committee Co-chair Alan Regan, Open Apereo 2014 Program Committee Co-chair -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] More detailed question regarding AD + SunDS LDAP for Banner
Thank you .. This confirms what I was arriving at. Our use case is that we have an AD LDAP which expires accounts based on individual campus policy. But the application we are configuring CAS for provides information concerning W2 forms, transcripts, class history, etc. They do not want to bump these people off of access for this particular application. Yesterday, the story changed a bit. We had intended to use the EDIR Sun LDAP, but were concerned about these two LDAPs not being in sync. We decided to use a front end program written in-house that behaves like an LDAP repository, but actually will work as intermediary (proxy). They use userPrincipalName for the sAMAccountName, for example, so I think this removes the issue of naming. I need to pass the credentials to their proxy program, but treat it as if it were LDAP. Regarding Principal resolution methods, do you mean that the class associated with the Principal Resolver for AD, in our case org.jasis.cas.authentication.principal.UsernmaePasswordCredentialsToPrincipalResolver, needs to differ? Perhaps something like org.jasig.cas.authentication.principal.BasicPrincipalResolver would work or perhaps PersonDirectoryPrincipalResolver? Honestly, the subtleties of which to use in this case are not immediately clear to me since it is not a typical vendor LDAP. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Mar 7, 2014 at 3:22 AM, Marvin Addison marvin.addi...@gmail.comwrote: I am not sure why Ellucian did not make use of a key-ref, but there it is. I think an explanation of why attribute filters are defined in both places would be of great help to me .. this has always been murky in my understanding. I've read your original post a couple times and I'm not entirely clear on the use case. I do understand, however, the need for LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager and key-ref in your case. That component is needed whenever you have two credential classes of the same type (UsernamePasswordCredentials are used to authenticate to both SunDS and AD) but you need different principal resolution methods. The solution is to switch on the authentication handler, by reference, that successfully authenticated the credentials. Thus the reference (key-ref) to the authentication handler. You're using the authentication handler to select the principal resolver that refers to the same directory that authenticated the user. M -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] More detailed question regarding AD + SunDS LDAP for Banner
Marvin, et al Sorry, I picked the wrong Principal Resolver bean to ask about. The configuration Ellucian uses is PrincipalBearningCredentialsToPrincipalResolver CredentialsToLDAPAttributePrincipalResolver, and then within that UsernamePasswordCrednetialsToPrincipalResolver. I think the CredentialsToLDAPAttributePrincipalResolver is the one that must be different for multiple LDAPs. Is that right? Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Mar 7, 2014 at 11:52 AM, Linda Toth ltt...@alaska.edu wrote: Thank you .. This confirms what I was arriving at. Our use case is that we have an AD LDAP which expires accounts based on individual campus policy. But the application we are configuring CAS for provides information concerning W2 forms, transcripts, class history, etc. They do not want to bump these people off of access for this particular application. Yesterday, the story changed a bit. We had intended to use the EDIR Sun LDAP, but were concerned about these two LDAPs not being in sync. We decided to use a front end program written in-house that behaves like an LDAP repository, but actually will work as intermediary (proxy). They use userPrincipalName for the sAMAccountName, for example, so I think this removes the issue of naming. I need to pass the credentials to their proxy program, but treat it as if it were LDAP. Regarding Principal resolution methods, do you mean that the class associated with the Principal Resolver for AD, in our case org.jasis.cas.authentication.principal.UsernmaePasswordCredentialsToPrincipalResolver, needs to differ? Perhaps something like org.jasig.cas.authentication.principal.BasicPrincipalResolver would work or perhaps PersonDirectoryPrincipalResolver? Honestly, the subtleties of which to use in this case are not immediately clear to me since it is not a typical vendor LDAP. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Mar 7, 2014 at 3:22 AM, Marvin Addison marvin.addi...@gmail.comwrote: I am not sure why Ellucian did not make use of a key-ref, but there it is. I think an explanation of why attribute filters are defined in both places would be of great help to me .. this has always been murky in my understanding. I've read your original post a couple times and I'm not entirely clear on the use case. I do understand, however, the need for LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager and key-ref in your case. That component is needed whenever you have two credential classes of the same type (UsernamePasswordCredentials are used to authenticate to both SunDS and AD) but you need different principal resolution methods. The solution is to switch on the authentication handler, by reference, that successfully authenticated the credentials. Thus the reference (key-ref) to the authentication handler. You're using the authentication handler to select the principal resolver that refers to the same directory that authenticated the user. M -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Memory leak in 3.4.2.1
Hello We are running CAS on RHEL6. We have found that if we replace the cas.war file w/o stopping tomcat and then restarting it, a memory leak is thrown because others threads are not cleared. The following is a typical log message: INFO: Stopping service Catalina Feb 26, 2014 1:49:10 PM org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc SEVERE: A web application registered the JBDC driver [oracle.jdbc.driver.OracleDriver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered. Feb 26, 2014 1:49:10 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [Timer-0] but has failed to stop it. This is very likely to create a memory leak. Feb 26, 2014 1:49:10 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [scheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. Feb 26, 2014 1:49:10 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [scheduler_Worker-2] but has failed to stop it. This is very likely to create a memory leak. - Does anyone else have this issue? - To anyone's knowledge, is it specific to RHEL6? - Does anyone know where the memory leaks occurs, modified the CAS source and rebuilt the jar for it? Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Memory leak in 3.4.2.1
Marvin, Thank you. I do typically perform the operation in three steps: $ service tomcat6 stop $ cp cas.war target directory $ service tomcat6 start This time I forgot to stop the service and instead did the following: $ cp cas.war target directory $ service tomcat6 restart It seems to me that it should stop the service fully and then start it, but apparently not. Thanks Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Mar 5, 2014 at 10:21 AM, Marvin Addison marvin.addi...@gmail.comwrote: SEVERE: A web application registered the JBDC driver [oracle.jdbc.driver.OracleDriver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered. Oracle components are known to produce that error and it's not related to CAS other than you're using that driver in a storage component used by CAS. I'm not aware of a workaround that would prevent the error altogether. I believe many if not most deployers are in the habit of starting and stopping the container on application restarts, which makes the error innocuous and it can be safely ignored. If, on the other hand, you deploy CAS with other applications in the same container you could run out of PermGen space if not for Tomcat unloading the class by force. M -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] More detailed question regarding AD + SunDS LDAP for Banner
Folks,
I am sorry to post so much detail, but I am not entirely sure why I have
the repetitive elements in the prescribed changes to
deployerConfigContext.xml by Banner, which in turn are causing me to feel
uncertain of where to place entry key-ref .. statements.
Ellucian repeats the filters for a principal identity in two places and
adds beans for credential resolution. Because of their very explicit
instructions for implementation, I am not sure I can replace the
Authentication Manager Class. I provide an excerpt here:
*Authentication Manager Authentication Handler*
bean id=authenticationManager
class=org.jasig.cas.authentication.AuthenticationManagerImpl
property name=credentialsToPrincipalResolvers
list
bean
class=org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver
/
bean
class=org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver
property name=credentialsToPrincipalResolver
bean
class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
/
/property
property name=filter
value=(|(sAMAccountName=%u)(uaIdentifier=%u)) /
property name=principalAttributeName
value=sAMAccountName
/property
property name=searchBase
value=${ad.userBindAuthHandler.searchBase /
property name=attributeRepository
ref bean=attributeRepository /
/property
/bean
/list
/property
property name=authenticationHandlers
list
bean
class=org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
p:httpClient-ref=httpClient /
bean
class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
property name=filter
value=(|(sAMAccountName=%u)(uaIdentifier=%u)) /
ETC ...
I want to move to the following, but now that I am revisiting this issue, I
don't understand why Ellucian is providing two filters in this way. I have
gone back through the JASIG-CAS documentation and addresses the situation
by giving examples with attribute filters in the authentication handlers
only:
bean id=authenticationManager
class=org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager
constructor-arg index=0
map
entry key-ref=SunDS-LdapAuthHandler
value-ref=UsernameCredentialtoPrincipalResolver /
entry key-ref=AD-LdapAuthHandler
value-ref=LdapCredentialtoPrincipalResolver /
entry key-ref=HTTPAuthHandler
value-ref=HTTPCredentialtoPrincipalResolver /
/map
/constructor-arg
/bean
bean id=SunDS-LdapAuthHandler
class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
property name=filter value=(uid=%u) /
property name=searchBase value=ou=usf,o=usf.edu /
property name=contextSource ref=SunDS-LdapAuthcontext /
/bean
bean id=UsernameCredentialtoPrincipalResolver
class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
property name=attributeRepository ref=attributeRepository /
/bean
bean id=AD-LdapAuthHandler
class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
property name=filter value=(proxyaddresses=SMTP:%u) /
property name=searchBase value=DC=usf,DC=edu /
property name=contextSource ref=AD-LdapAuthcontext /
!-- fix for how AD returns results --
property name=ignorePartialResultException value=yes /
/bean
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] More detailed question regarding AD + SunDS LDAP for Banner
Folks,
I have been thinking this over and it seems to me the substitution will do
the same thing as what Ellucian repeats in the Authentication Manager.
Please correct me if I am wrong.
I am not sure why Ellucian did not make use of a key-ref, but there it is.
I think an explanation of why attribute filters are defined in both places
would be of great help to me .. this has always been murky in my
understanding.
If I replace the class for the Authentication Manager, I am still not sure
if the interaction between
LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager
and PrincipalBearingCredentialsToPrincipalResolver affect outcome. In
other words, are there some undercover dependencies?
Thanks
Linda
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/
On Wed, Mar 5, 2014 at 12:00 PM, Linda Toth ltt...@alaska.edu wrote:
Folks,
I am sorry to post so much detail, but I am not entirely sure why I have
the repetitive elements in the prescribed changes to
deployerConfigContext.xml by Banner, which in turn are causing me to feel
uncertain of where to place entry key-ref .. statements.
Ellucian repeats the filters for a principal identity in two places and
adds beans for credential resolution. Because of their very explicit
instructions for implementation, I am not sure I can replace the
Authentication Manager Class. I provide an excerpt here:
*Authentication Manager Authentication Handler*
bean id=authenticationManager
class=org.jasig.cas.authentication.AuthenticationManagerImpl
property name=credentialsToPrincipalResolvers
list
bean
class=org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver
/
bean
class=org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver
property name=credentialsToPrincipalResolver
bean
class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
/
/property
property name=filter
value=(|(sAMAccountName=%u)(uaIdentifier=%u)) /
property name=principalAttributeName
value=sAMAccountName
/property
property name=searchBase
value=${ad.userBindAuthHandler.searchBase /
property name=attributeRepository
ref bean=attributeRepository /
/property
/bean
/list
/property
property name=authenticationHandlers
list
bean
class=org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
p:httpClient-ref=httpClient /
bean
class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
property name=filter
value=(|(sAMAccountName=%u)(uaIdentifier=%u)) /
ETC ...
I want to move to the following, but now that I am revisiting this issue,
I don't understand why Ellucian is providing two filters in this way. I
have gone back through the JASIG-CAS documentation and addresses the
situation by giving examples with attribute filters in the authentication
handlers only:
bean id=authenticationManager
class=org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager
constructor-arg index=0
map
entry key-ref=SunDS-LdapAuthHandler
value-ref=UsernameCredentialtoPrincipalResolver /
entry key-ref=AD-LdapAuthHandler
value-ref=LdapCredentialtoPrincipalResolver /
entry key-ref=HTTPAuthHandler
value-ref=HTTPCredentialtoPrincipalResolver /
/map
/constructor-arg
/bean
bean id=SunDS-LdapAuthHandler
class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
property name=filter value=(uid=%u) /
property name=searchBase value=ou=usf,o=usf.edu /
property name=contextSource ref=SunDS-LdapAuthcontext /
/bean
bean id=UsernameCredentialtoPrincipalResolver
class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
property name=attributeRepository ref=attributeRepository /
/bean
bean id=AD-LdapAuthHandler
class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
property name=filter value=(proxyaddresses=SMTP:%u) /
property name=searchBase value=DC=usf,DC=edu /
property name=contextSource ref=AD-LdapAuthcontext /
!-- fix
Re: [cas-user] How to get unsuccessful login information
First, I would be interested in seeing your configuration template for syslog. Secondly, would LPPE give you more of the information your seek? https://wiki.jasig.org/pages/viewpage.action?pageId=26149328 Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Feb 26, 2014 at 6:20 AM, Mosior, Benjamin bemos...@ship.edu wrote: Syslog configuration is definitely something to investigate. We configured our CAS instances to log to syslog, which forwards on to a Fluentd/Kibana[1] installation for visualization. We defined a few custom queries to find AUTHENTICATION_SUCCESS and AUTHENTICATION_FAILED messages, so now we have pretty graphs[2] to keep track of which nodes and users are failing authentication. [1] http://docs.fluentd.org/articles/free-alternative-to-splunk-by-fluentd [2] http://webspace.ship.edu/bemosior/CAS/kibana_cas.png -Ben *From:* Rex Roof [mailto:r...@wccnet.edu] *Sent:* Wednesday, February 26, 2014 9:02 AM *To:* cas-user@lists.jasig.org *Cc:* Riccardo Mura *Subject:* Re: [cas-user] How to get unsuccessful login information would it be possible to have it log via syslog? then you could redirect it to another server. -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Multiple authenticators of differing LDAP type
Hello I have been reviewing the documentation for multiple authentication handlers. Both examples us AD as the LDAP, but we wish to use AD for one and OpenLDAP or SUN LDAP for the other. I don't see anything that suggests one would preclude the other, but am checking for any specific thing I need to watch for or take into account. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How to get unsuccessful login information
Thank you Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Thu, Feb 27, 2014 at 11:32 AM, Mosior, Benjamin bemos...@ship.eduwrote: The below configuration reflects an environment using CAS 3.5.x and Tomcat 6. Your mileage may vary. log4j.xml: !-- Add a Syslog appender -- appender name=syslog class=org.apache.log4j.net.SyslogAppender param name=Facility value=local0/ param name=SyslogHost value=127.0.0.1/ param name=Threshold value=INFO/ layout class=org.apache.log4j.PatternLayout param name=ConversionPattern value=%d %p [%c] - %m%n/ /layout /appender The various parameters above should be updated to reflect your environment. More information on CAS logging: https://wiki.jasig.org/display/CASUM/Logging -Ben *From:* Linda Toth [mailto:ltt...@alaska.edu] *Sent:* Thursday, February 27, 2014 2:49 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] How to get unsuccessful login information First, I would be interested in seeing your configuration template for syslog. Secondly, would LPPE give you more of the information your seek? https://wiki.jasig.org/pages/viewpage.action?pageId=26149328 Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Multiple authenticators of differing LDAP type
Marvin The situation is that users expire in AD and Sun LDAP, but SunLDAP will grant access to users, as long as they exist and the password is correct. For one of our services, this is a desirable feature. We want to fail over to Sun LDAP if the former student is attempting to access their Banner records to request a transcript, for example, or print a W2 form. The general consensus is let them authenticate, but if they are not authorized, the client will prohibit that access. Personally, I feel we are swimming in murky waters without a full understanding of how all of our authentication/authorization systems interact. Alaskans are very independent in geneHaving said that, we are using CAS only for authentication to Ellucian Banner Products - at this time. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Thu, Feb 27, 2014 at 11:33 AM, Marvin Addison marvin.addi...@gmail.comwrote: I have been reviewing the documentation for multiple authentication handlers. Both examples us AD as the LDAP, but we wish to use AD for one and OpenLDAP or SUN LDAP for the other. There's an important requirement that the principal is globally unique across all identity stores. That's more a security policy concern than technology, but an important one nonetheless. If you're unclear the reason for the requirement, hopefully considering the following question will make it clear. Given the user tjones in both AD and OpenLDAP, how would a service distinguish which one is granted access if authorization is based on user ID alone? You'd need to take great care to define strict authorization requirements if you can't assume globally unique principals. M -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] About authentication handlers
Perhaps if you post the configuration for the form that contains your authentication handlers why it is not choosing an alternative can be spotted. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Jan 24, 2014 at 1:53 AM, Федорищев Игорь Николаевич fedorisc...@bsu.edu.ru wrote: Hello. My setup of Jasig-CAS had several authentication handlers. But when one of them is down, CAS is down too. Getting only message like CAS is unavailable. I had several ldap handlers and one custom database handler. So, if the database server goes down, CAS is unavailable. My question is why when one handler is down Cas didn't try to authenticate to others? -- -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Session Time out and invalid-session-url
Hello I searched the list archives and didn't see any mention of this, soo Due to the recommendations for using CAS with Banner, we are currently using 3.4.2.1 with no immediate plans to upgrade. The documentation seems clear enough for using the http session-management invalid-session-url .../ /http and reminder to use http logout delete-cookies=JSESSIONID / /http I am assuming this would be placed in the securityContext.xml file, correct? I am guessing that only because of the sec:http … forms I see there. Linda -- Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] Session Time out and invalid-session-url
Actually, Now that I look at that file closely, it is clear this is where the invalid session redirect must be inserted. But, I am wondering about a difference between the Spring Docs and a forum post on stack overflow. Spring makes no mention of needing to add invalidate-session=false in order to get it actually redirect to the invalid-session-url page. Any one have more information on that? Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ On Wed, Dec 4, 2013 at 2:38 PM, Linda Toth ltt...@alaska.edu wrote: Hello I searched the list archives and didn't see any mention of this, soo Due to the recommendations for using CAS with Banner, we are currently using 3.4.2.1 with no immediate plans to upgrade. The documentation seems clear enough for using the http session-management invalid-session-url .../ /http and reminder to use http logout delete-cookies=JSESSIONID / /http I am assuming this would be placed in the securityContext.xml file, correct? I am guessing that only because of the sec:http … forms I see there. Linda -- Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Slow throughput for CAS
Marvin Scott, Marvin, you recommendation is already being executed. It seems a good approach and I did a quick test to be sure I removed the appropriate elements since I have not used that Authentication Handler since I took it out of the box. I will let you know how it goes. Scott, I am forwarding your comment to the SA managing that portion. I can provide details of the CAS configuration files, but I can tell I have not modified any CAS configurations beyond what was needed to use the service registry DB, adding a service administrator, assertions for AD LDAP and appropriate passwords, etc. We set those up very specific to interact with Ellucian. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, Nov 19, 2013 at 9:04 AM, Marvin Addison marvin.addi...@gmail.comwrote: Tests show that CAS plateaus at 9 simultaneous login attempts. At that point, the tester will aggregate logins and continue to push them through, but at some point the multi-tasking slows down to the point that Apache times out. The tests were isolated to authentication to confirm that communicating to client services did not affect the login rate. I would recommend testing against a cloned instance of your prod VM where you substitute SimpleTestUsernamePasswordAuthenticationHandler for your BindLdapAuthenticationHandler. That should give you a good sense of whether the authentication subsystem is the bottleneck, which is what I expect. I'm fairly certain that tuning your LDAP connection pools will provide improved performance regardless, but it would be helpful to compare with the stub handler to get a sense of the magnitude of the problem. M -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Slow throughput for CAS
Hello We continue to see issues around CAS performance in conjunction with a remote LDAP server. First, we have read in this forum from several contributors that CAS performance exceeds the performances of its services. In an effort to understand why CAS is not performing at the levels others have reported, we are providing more details of our CAS implementation. Tests: Tests show that CAS plateaus at 9 *simultaneous* login attempts. At that point, the tester will aggregate logins and continue to push them through, but at some point the multi-tasking slows down to the point that Apache times out. The tests were isolated to authentication to confirm that communicating to client services did not affect the login rate. During tests, the CPU and Memory consumption remain at low levels. The priority of the task is set high enough to be handled immediately. There is nothing that suggests the disk may be thrashing due to swapping. CAS Server: - CAS is run on a VM hosted upon RHEL 6, with 4G memory, 1G PermGen, Allocated disk space for CAS is 1008M while total logging is 3G - Tomcat 6 is the web server - Authentication is handled via a remote AD LDAP server - Apache handles SSL encryption/decryption between the user and CAS. AD Server: The AD environment is not clustered, so the load is not being balanced. -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Simple question re: global properties for CAS
Thank you, Misagh.
I will look into you and communicate further as I make progress.
Linda
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
907-450-8320
Fairbanks, Alaska 99775
linda.t...@alaska.edu | www.alaska.edu/oit/
On Wed, Nov 6, 2013 at 5:39 AM, Misagh Moayyed mmoay...@unicon.net wrote:
1) That is a fair assumption.
2) As a first step, you’ll need to externalize the location of the
cas.properties file so it’s not embedded inside the CAS web application.
Take a look at this [1] please to see how that might be done. You might
also be able to take advantage of this extension [2] if you have CAS
deployed on multiple nodes.
[1] https://github.com/Unicon/unicon-cas-overlay
[2]
https://github.com/Unicon/cas-addons/wiki/Ticket-ID-generator-based-on-host-name
-Misagh
*From:* Linda Toth [mailto:ltt...@alaska.edu]
*Sent:* Tuesday, November 05, 2013 3:26 PM
*To:* cas-user@lists.jasig.org
*Subject:* [cas-user] Simple question re: global properties for CAS
Hello
This seems implied by what I read, but I have found nothing specific, so
it is worth checking; my understanding on the order in which XML file
properties are loaded into the CAS configuration needs work ..
I want to use a property to define the hostname in one place for each CAS
instance we have, which is translated across all files referring to a
specific server (cas.properties, protocol_view.properties, and
uniqueIdGenerator.xml). I have been assuming that the cas.properties file
is read first into the environment at load time so that all other
references to ${host.name} adhere to the definition in cas.properties.
Is that an accurate assumption?
We have several instances of CAS across several testing and back up
environments and I would love to make changes to the cas.properties as the
only place where a host name is changed. Further along those lines, I
would like to be able to define registry DB connections, the CAS admin
user/password, and LDAP connections in the same file, so the
deployerConfigContext.xml file does not need to be altered.
Linda
--
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
907-450-8320
Fairbanks, Alaska 99775
linda.t...@alaska.edu | www.alaska.edu/oit/
--
You are currently subscribed to cas-user@lists.jasig.org as:
mmoay...@unicon.net
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Simple question re: global properties for CAS
Hello
I will keep this in mind, but I am talking about different servers serving
different functions, so it is not clustered. We have not implemented
clustering, because at this point, CAS seems to be efficient and powerful
enough to manage all the service requests coming to it, and in fact,
appears to be waiting for client responses.
We do have failover implemented on production.
What prompted the move to clustering for your environment?
Linda
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
907-450-8320
Fairbanks, Alaska 99775
linda.t...@alaska.edu | www.alaska.edu/oit/
On Wed, Nov 6, 2013 at 1:25 PM, Danner, Mearl jmdan...@samford.edu wrote:
I’ve successfully moved all configuration parameters to /etc/cas for CAS
3.5.2 (clustered behind a load balancer). It also uses an LDAP service
registry in openldap replicated between CAS nodes. Authentication is to
Active Directory.
/etc/cas
cas.properties – customize host.name for each node
ehcache.xml – If replicated alter the rmiurls to point to the other node
log4j.xml – set cas log path to /var/log/cas – make sure tomcat has
permissions to write
attributes.properties – replaces the resultAttributeMapping map in the
attributeRepository bean.
LDAP attribute=CAS Attribute
cn=CN
memberOf=Groups
givenName=FirstName
sn=LastName
displayName=FullName
I made up my own property names. If there is a convention for naming
properties in cas.properties please share and I’ll adjust mine.
I was able to deploy the same cas.war on two cluster nodes using this
configuration.
I’ll look into selection 2. That will keep the cas.properties file the
same for each node.
Mearl Danner
Senior Systems Programmer
Samford University Technology Services
http://www.samford.edu
*From:* Misagh Moayyed [mailto:mmoay...@unicon.net]
*Sent:* Wednesday, November 06, 2013 8:39 AM
*To:* cas-user@lists.jasig.org
*Subject:* RE: [cas-user] Simple question re: global properties for CAS
1) That is a fair assumption.
2) As a first step, you’ll need to externalize the location of the
cas.properties file so it’s not embedded inside the CAS web application.
Take a look at this [1] please to see how that might be done. You might
also be able to take advantage of this extension [2] if you have CAS
deployed on multiple nodes.
[1] https://github.com/Unicon/unicon-cas-overlay
[2]
https://github.com/Unicon/cas-addons/wiki/Ticket-ID-generator-based-on-host-name
-Misagh
*From:* Linda Toth [mailto:ltt...@alaska.edu ltt...@alaska.edu]
*Sent:* Tuesday, November 05, 2013 3:26 PM
*To:* cas-user@lists.jasig.org
*Subject:* [cas-user] Simple question re: global properties for CAS
Hello
This seems implied by what I read, but I have found nothing specific, so
it is worth checking; my understanding on the order in which XML file
properties are loaded into the CAS configuration needs work ..
I want to use a property to define the hostname in one place for each CAS
instance we have, which is translated across all files referring to a
specific server (cas.properties, protocol_view.properties, and
uniqueIdGenerator.xml). I have been assuming that the cas.properties file
is read first into the environment at load time so that all other
references to ${host.name} adhere to the definition in cas.properties.
Is that an accurate assumption?
We have several instances of CAS across several testing and back up
environments and I would love to make changes to the cas.properties as the
only place where a host name is changed. Further along those lines, I
would like to be able to define registry DB connections, the CAS admin
user/password, and LDAP connections in the same file, so the
deployerConfigContext.xml file does not need to be altered.
Linda
--
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
907-450-8320
Fairbanks, Alaska 99775
linda.t...@alaska.edu | www.alaska.edu/oit/
--
You are currently subscribed to cas-user@lists.jasig.org as:
mmoay...@unicon.net
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
jmdan...@samford.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Simple question re: global properties for CAS
Hello
This seems implied by what I read, but I have found nothing specific, so it
is worth checking; my understanding on the order in which XML file
properties are loaded into the CAS configuration needs work ..
I want to use a property to define the hostname in one place for each CAS
instance we have, which is translated across all files referring to a
specific server (cas.properties, protocol_view.properties, and
uniqueIdGenerator.xml). I have been assuming that the cas.properties file
is read first into the environment at load time so that all other
references to ${host.name} adhere to the definition in cas.properties. Is
that an accurate assumption?
We have several instances of CAS across several testing and back up
environments and I would love to make changes to the cas.properties as the
only place where a host name is changed. Further along those lines, I
would like to be able to define registry DB connections, the CAS admin
user/password, and LDAP connections in the same file, so the
deployerConfigContext.xml file does not need to be altered.
Linda
--
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
907-450-8320
Fairbanks, Alaska 99775
linda.t...@alaska.edu | www.alaska.edu/oit/
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Multiple search base for LDAP
Andrew, Care to include a LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager example (i.e., for different LDAP servers such as AD and SunLDAP)? Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Sep 23, 2013 at 12:02 PM, Andrew Petro ape...@unicon.net wrote: Supporting multiple search bases came up again in a Unicon technical support context, so I've added a page to the CAS user manual documenting the options, drawing on the inputs in this email list thread. https://wiki.jasig.org/display/CASUM/LDAP+Authentication+with+Multiple+Search+Bases Kind regards, Andrew On Wed, Jul 31, 2013 at 11:02 PM, Farzan Qureshi fqure...@rosmini.school.nz wrote: Dear Community, I configured CAS an year ago. Our CAS authenticate users against our LDAP server. At the moment I have complete LDAP tree as a search option. bean class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler p:filter=mail=%u p:searchBase=ou=people,dc=example,dc=com p:contextSource-ref=contextSource p:searchContextSource-ref=pooledContextSource / If I want to have two search base that is one for Students and one for staff, how I can assign search base for two different user base? p:searchBase=ou=students,dc=example,dc=com ??? p:searchBase=ou=staff,dc=example,dc=com ??? Thanks in anticipation. Kind regards, -- *Farzan Qureshi* | Network Administrator Help-desk Support | Rosmini College | (09) 487 0 530 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager (ad...@rosmini.school.nz). Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. Rosmini College accepts no liability for any damage caused by any virus transmitted by this email. -- You are currently subscribed to cas-user@lists.jasig.org as: ape...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Socket error at high volumes
Thanks to all for you responses. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ On Tue, Sep 10, 2013 at 1:56 PM, Andrew Morgan mor...@orst.edu wrote: We had Ellucian run some load testing for our Luminis 5 deployment a couple years ago, which ended up testing CAS. We created an instance of CAS with dummy account data (local flat files instead of LDAP). I don't know how many simultaneous logins were attempted, but we managed to have nearly 2000 concurrent Luminis logins before the Luminis servers were too sluggish. If you don't see any JVM errors in your Tomcat logs, then I wouldn't expect any problems with CAS itself. I think Saml10SuccessResponseView is generating a SAML response when the CAS client calls /samlValidate. The broken pipe error indicates to me that the underlying TCP connection has gone away, possibly due to a client timeout. Have you tried running Psi-Probe (http://code.google.com/p/psi-**probe/http://code.google.com/p/psi-probe/) in your Tomcat instance to monitor it? This tool can provide a lot of useful information. The Connectors page can show you traffic volumes and response time, as well as what each thread is doing. Other than that, I would use normal OS debugging and troubleshooting tools - top, vmstat, reading Tomcat catalina logs. Are you running out of CPU, memory, etc? What Ticket Registry are you using? Perhaps it is unable to keep up? What about attribute resolution? Can your LDAP repository handle that many simultaneous queries? Lots of things to check! Andy On Tue, 10 Sep 2013, Linda Toth wrote: Good afternoon We have recently implemented SSO for Banner 8 via CAS. Our LDAP repository is AD. We are running one CAS server and are now in the process of load testing the capability of CAS to match the load volume tested when using only Banner BEIS authentication. The tests are set up through WebLOAD. The tests are designed by setting a fixed number of virtual users who attempt to log in at the same time. The tests start at 100, then 200, 250, 275, and 300. At 275 simultaneous attempts to login, the WebLOAD tool receives many Internal 500 errors. Some on the team assess the situation as an indication that CAS can not keep up with the load. Others suspect the tool itself, which must now contend with browser redirects while simulating a high volume of users. Which ever the case, I do know that there are no issues in volume connections to AD. All LDAP authentication steps are made. The Socket failure messages take the following form, but not always at the exact same juncture: 2013-09-05 07:40:39,174 DEBUG [org.jasig.cas.web.support.**SamlArgumentExtractor] - Extractor generated service for: https://server.alaska.edu:**443/http://alaska.edu:443/ target 2013-09-05 07:40:39,178 ERROR [org.jasig.cas.web.view.**Saml10SuccessResponseView] - ClientAbortException: java.net.SocketException: Broken pipe 2013-09-05 07:40:42,235 ERROR [org.jasig.cas.web.view.**Saml10SuccessResponseView] - ClientAbortException: java.net.SocketException: Broken pipe Ellucian, when Atlassian, indicated this error was not fatal, however, our team is seeking a definite assurance that a single CAS server can manage such high volumes during peak times when login attempts can exceed 2000 in the first five minutes. Has anyone tested the upper limits of simultaneous CAS logins in a tomcat/apache configuration? Linda PS I also should mention that our team has not been interested in using tomcat 8443, but instead uses 443. Personally, I do not see a special advantage to doing it this way, but there it is. I am forwarding how our SA suspects the socket failures are occurring: Apache's default timeout is 300 seconds. Red Hat reduces the connection timeout for Apache to 60 seconds. Most users aren't going to wait more than 10 seconds, anyway. If tomcat does not respond to Apache before that timeout, Apache will close the connection and log the timeout expired messages David mentioned. When tomcat tries to respond after Apache has closed the connection it will throw a SocketException with the message Broken Pipe. -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/**display/JSG/cas-userhttp://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/**display/JSG/cas-userhttp://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access
[cas-user] Socket error at high volumes
Good afternoon We have recently implemented SSO for Banner 8 via CAS. Our LDAP repository is AD. We are running one CAS server and are now in the process of load testing the capability of CAS to match the load volume tested when using only Banner BEIS authentication. The tests are set up through WebLOAD. The tests are designed by setting a fixed number of virtual users who attempt to log in at the same time. The tests start at 100, then 200, 250, 275, and 300. At 275 simultaneous attempts to login, the WebLOAD tool receives many Internal 500 errors. Some on the team assess the situation as an indication that CAS can not keep up with the load. Others suspect the tool itself, which must now contend with browser redirects while simulating a high volume of users. Which ever the case, I do know that there are no issues in volume connections to AD. All LDAP authentication steps are made. The Socket failure messages take the following form, but not always at the exact same juncture: 2013-09-05 07:40:39,174 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor generated service for: https://server.alaska.edu:443/target 2013-09-05 07:40:39,178 ERROR [org.jasig.cas.web.view.Saml10SuccessResponseView] - ClientAbortException: java.net.SocketException: Broken pipe 2013-09-05 07:40:42,235 ERROR [org.jasig.cas.web.view.Saml10SuccessResponseView] - ClientAbortException: java.net.SocketException: Broken pipe Ellucian, when Atlassian, indicated this error was not fatal, however, our team is seeking a definite assurance that a single CAS server can manage such high volumes during peak times when login attempts can exceed 2000 in the first five minutes. Has anyone tested the upper limits of simultaneous CAS logins in a tomcat/apache configuration? Linda PS I also should mention that our team has not been interested in using tomcat 8443, but instead uses 443. Personally, I do not see a special advantage to doing it this way, but there it is. I am forwarding how our SA suspects the socket failures are occurring: Apache's default timeout is 300 seconds. Red Hat reduces the connection timeout for Apache to 60 seconds. Most users aren't going to wait more than 10 seconds, anyway. If tomcat does not respond to Apache before that timeout, Apache will close the connection and log the timeout expired messages David mentioned. When tomcat tries to respond after Apache has closed the connection it will throw a SocketException with the message Broken Pipe. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Socket error at high volumes
Good afternoon We have recently implemented SSO for Banner 8 via CAS. Our LDAP repository is AD. We are running one CAS server and are now in the process of load testing the capability of CAS to match the load volume tested when using only Banner BEIS authentication. The tests are set up through WebLOAD. The tests are designed by setting a fixed number of virtual users who attempt to log in at the same time. The tests start at 100, then 200, 250, 275, and 300. At 275 simultaneous attempts to login, the WebLOAD tool receives many Internal 500 errors. Some on the team assess the situation as an indication that CAS can not keep up with the load. Others suspect the tool itself, which must now contend with browser redirects while simulating a high volume of users. Which ever the case, I do know that there are no issues in volume connections to AD. All LDAP authentication steps are made. The Socket failure messages take the following form, but not always at the exact same juncture: 2013-09-05 07:40:39,174 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor generated service for: https://server.alaska.edu:443/https://beisregx.alaska.edu/ssomanager/c/SSB target 2013-09-05 07:40:39,178 ERROR [org.jasig.cas.web.view.Saml10SuccessResponseView] - ClientAbortException: java.net.SocketException: Broken pipe 2013-09-05 07:40:42,235 ERROR [org.jasig.cas.web.view.Saml10SuccessResponseView] - ClientAbortException: java.net.SocketException: Broken pipe Ellucian, when Atlassian, indicated this error was not fatal, however, our team is seeking a definite assurance that a single CAS server can manage such high volumes during peak times when login attempts can exceed 2000 in the first five minutes. Is CAS incapable of accepting more than 250 simultaneous login attempts without failure? If not, how have teams tested the load so that it met load requirements? Linda PS also should mention that our team has not been interested in using tomcat 8443, but instead uses 443. Personally, I do not see a special advantage to doing it this way, but there it is. I am forwarding how our SA suspects the socket failures are occurring: *Apache's default timeout is 300 seconds. Red Hat reduces the connection timeout for Apache to 60 seconds. Most users aren't going to wait more than 10 seconds, anyway. If tomcat does not respond to Apache before that timeout, Apache will close the connection and log the timeout expired messages David mentioned. When tomcat tries to respond after Apache has closed the connection it will throw a SocketException with the message Broken Pipe. * Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
