from:"Marvin S. Addison"


Hmm, that's the impression I got after a meeting with Unicon, perhaps
I misunderstood them.


I believe Unicon steers folks away from SAML. I believe it's motivated 
in some cases by the need to support proxying with attribute release, 
which SAML 1.1 does not support. If they used the word "deprecated," 
then that would be incorrect. It's supported now and for the foreseeable 
future.



In any case, it looks like the client I'm trying to get to work
(ezproxy) doesn't support SAML :(, so I'm stuck with unofficial CAS
2.0 attributes.


Understood.


Did you by any chance have the opportunity to look at the other email
I sent on this subject as far as whether or not the variable within
the jsp file has already been flattened, or if there is the potential
to tweak the jsp to iterate over it and generate separate entries for
each value rather than flatten it?


You mean this:


  [a, b, 
c]



I admit that doesn't look correct but I'm not certain. What reference 
did you follow for customizing the casServiceValidationSuccess.jsp file?


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Services Management -LDAP Auth


When I used a filter string like that, the application throws an
exception as soon as I start tomcat.  I can't have the Ampersand in
the deployerconfigcontext file.


You need to use an XML escape character:

((&objectclass=group)(...))

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Services Management -LDAP Auth


Is the Group-search-base supposed to stop at an OU?  I took mine all
 the way to the CN of the group.  If it is supposed to stop at the OU
 level, then how does Spring identify the right group?


That question drew me to what looks like an obvious problem in your config:

group-search-base="CN=CAS ServiceMgmt Access,OU=Groups,OU=Security,…on
the way downto the .edu"

That is incorrect. You likely want "OU=Groups,OU=Security,...,dc=edu" in
there. If you want to search from the branch downward (OU=Security,
etc), you need to configure a subtree-scope search. I don't recall
offhand how to do that, but it's likely documented in the spring
security docs.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol


My understanding was that despite it being the "official" mechanism,
SAML is for the most part deprecated


Absolutely not. It may be deprecated at some (distant) future date, but
many folks are happily using the SAML support in many clients for
attribute release. No server or client customizations needed.


most people are extending the CAS 2.0 protocol to supply attributes
rather than using SAML


I don't think we have any numbers. I'd be happy to start a thread asking
for folks to speak up to get a sense, but from past experience it's hard
to gauge accurately with self reporting.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Services Management -LDAP Auth

2013-10-10 Thread Marvin S. Addison


Has anyone gotten the LDAP authentication to work for services
management? I have tried various iterations of filter strings, but the
spring documentation isn’t quite tailored to the way you have to do it
in the CAS file.


It's really a Spring Security configuration matter more than CAS 
specifically. Here's a working configuration we use for another app:


  

  

The member attribute of our directory is like yours, it contains the DN 
of members of the group. The uugid attribute is equivalent to group CN; 
it's simply the group name. The uupid attribute is the username. I 
believe your group search filter is correct, but your user search filter 
is incorrect. You're searching by user CN, which if you're using AD 
should be more like the following:


user-search-filter="(sAMAccountName={0})"

The user search filter is used to obtain a DN that is subsequently used 
to search for groups by substitution into the group search filter. Most 
AD deployments use the sAMAccountName for username, so the above is 
probably what you need.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-10 Thread Marvin S. Addison


What is the "unofficial official" way of handling attributes in the CAS 2.0 
protocol?


I honestly don't know. The official mechanism for attribute release is 
via the SAML 1.1 protocol. Attribute release will be officially 
supported in the CAS 3.0 protocol spec:


https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md

I can't speak to various client support for the 2.0 protocol extension 
since we don't use it. I understand many folks do use it, so they can 
speak to client support.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] unsubscribe

2013-10-10 Thread Marvin S. Addison


Please remove ra...@berkeley.edu  from
subscribers.


List subscriptions are self service:

http://www.jasig.org/cas/mailing-lists

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS 3.5.2 w/ Spring 3.2?

2013-10-09 Thread Marvin S. Addison


Anyone successfully try/build/run CAS 3.5.2 with Spring 3.2?


I haven't tried but I would expect you could upgrade with no problems.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] tomcat 6 session error

2013-10-08 Thread Marvin S. Addison


I guess I'm confused because I thought the response would not start
until all filters in the chain were processed. What am I missing here?


I don't think there is any such guarantee in the servlet specification.


In my web.xml this is the last filter I have defined which may explain
the issue if others can cause the filter chain to end early.


You should probably define it near the top to reduce the likelihood of 
the response starting before you add cookies. I should note that the 
order of  elements controls order of filter invocation, 
not the order of  elements.



Is this simply an ordering problem or do I have some something
fundamental wrong?


Probably the former. Try moving to the top of filter execution chain and 
see if that resolves.



Here is the filter code:
 public void doFilter(
...
response.addCookie(c);
...


I see you're attempting to add cookies as I suspected, so that's a good 
sign my hunch about the root cause is correct. Do the cookie 
manipulation before the response starts and you should be good.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS HA bottleneck

2013-10-08 Thread Marvin S. Addison


Should I use another replication method ?


While I don't have hard data, I am fairly certain that the memcached 
ticket registry will provide linear scalability. There is no 
replication, which dramatically simplifies architecture, and the failure 
modes are acceptable in many cases. Check out the HA guide for CAS 4 for 
more information:


http://jasig.github.io/cas/planning/High-Availability-Guide.html

The considerations in the guide apply to 3.x as well, though 
configuration details in linked documents may vary.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] tomcat 6 session error

2013-10-04 Thread Marvin S. Addison


I'm seeing this error sporadically as well. I don't see anything
relevant in catalina.out but these seem to correlate to failed POSTs to
/cas/login with SAML requests.


I believe this error is something related to your application or 
environment specifically.



Sep 23, 2013 6:32:13 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet cas threw exception
java.lang.IllegalStateException: Cannot create a session after the
response has been committed


The fundamental limitation here is that you can't set headers (i.e. 
Set-Cookie) after the container begins writing the HTTP response stream 
to the client.



edu.denison.cas.web.filter.PurgeModAuthCasCookiesFilter.doFilter(PurgeModAuthCasCookiesFilter.java:96)


Ah, what's this? Bet that's the culprit.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Change hashing password algorith

2013-10-02 Thread Marvin S. Addison


I would to change my hashing password algorith.
Where, in CAS configuration,must I to configure it?


DefaultPasswordEncoder takes a digest algorithm name in the constructor. 
Acceptable values are those defined in the MAC section of the JCE 
documentation [1].



And, I would like to understand  what algorithms are supported
between OpenLDAP and CAS.


You would only need agreement in the case of using DIGEST-MD5 for 
authentication, which is uncommon. In an LDAP simple bind the 
credentials is transmitted in the clear and hashed (with optional salt 
if you're using SSHA) at the server side for comparison with the value 
on record.


M

[1] 
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] mod_auth_cas with memcached backend

2013-10-01 Thread Marvin S. Addison


Hi Guys, what do you think about such feature? It could be very
useful in Reverse proxy cluster with mod_auth_cas working as CAS
client.


There are two stores that I'm aware of in mod_auth_cas: assertion data 
(referred to as cookies) and proxy tickets. I imagine memcached could be 
used for both, but I'm interested to know what storage facility you need 
for your particular reverse proxy situation.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS - apache fails to SSL-handshake

2013-10-01 Thread Marvin S. Addison


I couldnt make much sense of the log.


I'll try to point out some things.


[Tue Oct 01 11:26:47 2013] [debug] ssl_engine_init.c(807): Configuring
RSA server certificate
[Tue Oct 01 11:26:47 2013] [debug] ssl_engine_init.c(846): Configuring
RSA server private key
[Tue Oct 01 11:26:48 2013] [info] Loading certificate & private key of
SSL-aware server
[Tue Oct 01 11:26:48 2013] [info] svg-comp-fet.example.no:443


That appears to be your Apache host.


[Tue Oct 01 11:27:34 2013] [debug] src/mod_auth_cas.c(1406): [client
xxx.xx.xxx.xxx] entering getResponseFromServer()
[Tue Oct 01 11:27:34 2013] [error] [client xxx.xx.xxx.xxx] MOD_AUTH_CAS:
Could not perform SSL handshake with svg-comp-bet.example.no
 (check CASCertificatePath)
[Tue Oct 01 11:27:34 2013] [debug] src/mod_auth_cas.c(1184): [client
xxx.xx.xxx.xxx] entering isValidCASTicket()


You should ensure that CASCertificatePath points to a directory 
containing the server certificate for svg-comp-fet.example.no or the CA 
that issued it. I know you said you already verified that, but you 
should use openssl s_client to confirm that the certificate you think 
you trust is actually the one you trust. It's pretty clear this is a 
certificate trust problem of some kind.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS - apache fails to SSL-handshake

2013-09-30 Thread Marvin S. Addison


would you mind pointing out how I turn on "logging to the max"?


From the m-a-c README:

Directive:  CASDebug
Default:Off
Description:Enable or disable debugging mode for troubleshooting.
Please note that LogLevel must be set to Debug for
the VirtualHost in order for these logs to be visible.

In my experience that provides all the info I need to troubleshoot
integration problems. IIRC output goes in the Apache error log.

Cheers,
M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS - apache fails to SSL-handshake

2013-09-30 Thread Marvin S. Addison


The CAS-login works fine, but when I get redirected back to my
apache after logging in, I get: "Could not perform SSL handshake
with example.casserver.com (check CASCertificatePath)".


I would recommend turning up logging. mod_auth_cas uses curl under the
hood, and it should log details about the certificate it's having
trouble with.


I checked CASCertificatePath, and I verified it points to the
correct certificate(certificate of the CAS-server).


Additional logging should help verify or refute that statement.


keytool -genkey -keyalg "RSA" -dname Is this the problem?


Nothing wrong there.


Does mod_auth_cas require the certificate to be CA-signed, for
instance by creating my own CA for the network using TinyCA2?


There are no particular issuer requirements on certificates used by CAS
components. Strictly speaking, the SSL machinery is controlled by
libraries (Java on the server side, libssl on the Apache/mod_auth_cas
side) outside CAS.


Or is a normal self signed ceritificate ernough?


That will work fine when configured properly, but it's uncommon to use 
for anything other than initial setup and testing.


M


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] cas and python integration

2013-09-30 Thread Marvin S. Addison


I am using the django-cas implementation:
https://github.com/KTHse/django-cas2


Pretty sure that's what we used for integration with a small internal 
Django utility app. I recall fighting with URL mappings a bit but got it 
working in the end. This is against CAS 3.5.2, but it should work with 
any CAS 3.x version.



in my django application i have the following settings:

CAS_SERVER_URL= 'https://xxx..com:8443/cas-server-webapp-3.5.2/'
CAS_SERVICE_URL='http://localhost:8000'
CAS_LOGOUT_COMPLETELY=True
CAS_SINGLE_SIGN_OUT=True
CAS_RENEW=False
CAS_GATEWAY=False
CAS_REDIRECT_URL='/homePage'
CAS_IGNORE_REFERER=False
CAS_RETRY_LOGIN=False
CAS_AUTO_CREATE_USERS=False
CAS_EXTRA_LOGIN_PARAMS=None
CAS_PROXY_CALLBACK=None


You MUST use an https URL for your application (CAS_SERVICE_URL) for 
single sign-on to work.



and i have the following url mapped:

url(r'^dologin/$', 'django_cas.views.login'),
url(r'^dologout/$', 'django_cas.views.logout')


You'll have to analyze and troubleshoot your URL mappings as they are 
entirely application specific.



which redirect me the cas authentification page , after that i'm being
redirected to my homePage but i'm receiving a ' HTTP 403 error
forbidden' , and the following url:

http://localhost:8000/dologin/?next=%2FhomePage&ticket=ST-1-CxrtTYycarg3d9XNbhXo-cas01.example.org


Sounds like a ticket validation problem. Turning up django-cas logging 
helped me troubleshoot integration problems. I should note that the URL 
above is http, where it should be https. While many folks attempt to get 
up and running quickly without SSL, it invariably causes more problems 
rather than simplifying.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS Tomcat Container Authentication

2013-09-26 Thread Marvin S. Addison


Well, I have a working servlet that is testing the attribute release
using the standard CAS Authentication/CAS Validation Filters and I did
verify that the attributes are being passed through the service registry.


Your configuration looks correct to me. If the CAS server is sending the 
attributes out, then the client is likely receiving them. Still, it 
would good to confirm with client logging. Can you turn org.jasig.cas up 
to FINEST on your Tomcat client? Pretty sure it will log the SAML 
payload it receives in that situation.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] ticket= param

2013-09-19 Thread Marvin S. Addison


I would have imagined that the CasAuthenticationFilter would have
stripped this ticket param out of the href once it was done consuming it?


There's a configuration parameter that controls the behavior. You want 
redirectAfterValidation=true. See [1] for more information.


M

[1] 
https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] service validation content type

2013-09-19 Thread Marvin S. Addison


I can file an enhancement request, but it'd be good to know if any
(common) clients explicitly look for specific MIME types, such as
text/plain.


I'm not aware of any clients that expect a particular mime type in the
response payload.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] FW: [uportal-user] LDAP - AD Authentication

2013-09-19 Thread Marvin S. Addison


possible to construct a complex ldap query to filter users based on
anything other than something of the type
“CN=u%,OU=testou,DC=somedomain,DC=com” when using
fastbindldapauthenticationhandler.


No, not possible. You're actually constructing the bind DN via string
replacement, so in strict terms it's not an LDAP query filter.

You have to use BindLdapAuthenticationHandler to do complex filtering.
I've seen a number of interesting queries over the years; you should be
able to do what you want. Let us know if you need help formulating a query.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Getting attributes derived from Credentials into the SAML 1.1 response

2013-09-17 Thread Marvin S. Addison


I have a set of attributes that are based on Credentials (e.g. an
internal LOA value based on the credential type, certificate used in
X509 authentication) that I need to have expressed as attributes in the
SAML 1.1 assertion generated by CAS

 2. Build a PersonAttributeDao implementation to inject the attributes
at resolvePrincipal time.


We accomplish this via 2. We define a stub LOA attribute with a static 
DAO implementation then use a merging one to combine the various DAOs. 
Once we get the attribute definition into the authn pipeline, it's easy 
to update it with a custom resolver.


SAML2 has the AuthnContext slot that is an ideal place to describe 
things like LOA, but SAML 1.1 afaik only has AuthenticationMethod.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] caching attributes?

2013-09-13 Thread Marvin S. Addison


So to integrate that into the cachingPersonAttributeDao
config, you'd just set the userInfoCache property to "principalCache"?


I'm not certain since I've never used that component, but it certainly 
sounds like it would work. Seems easy enough to try.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Banner Workflow and CAS AuthenticationProviderKey

2013-09-13 Thread Marvin S. Addison


We recently started integrating our Banner environment with CAS. We have
successfully integrated Banner INB into the CAS without any issues. We
have recently begun the process of trying to configure the Workflow and
Travel & Expense modules into the CAS as well.


We have done this. I can connect you with an engineer in our Banner 
group who can hopefully field questions if you ping me privately. I have 
no idea how this stuff works, and I'm much happier that way.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] caching attributes?

2013-09-13 Thread Marvin S. Addison

So I'm trying to get CAS to retrieve attribute from LDAP, and ideally
cache them to decrease load.

I would exercise caution with this approach. CAS natively employs
attribute caching; attributes are only fetched on user authentication,
so attributes are naturally cached for the duration of the SSO session.
In most cases that's at least once per day which is arguably too long
for certain kinds of authorization data. Adding additional caching on
top of that sounds like a tradeoff you would make only upon careful
analysis with your security folks.

That said, we use Ehcache in a custom attribute resolver to cache
attributes during the authentication pipeline. We want to hit the
directory exactly once during authentication, but it turns out we needed
to perform at least two (possibly three) queries to resolve some data
for user attributes as well as audit data. The caching TTL was carefully
chosen to have data hang around only long enough to prevent duplicate
queries against the directory during the authentication flow.

https://wiki.jasig.org/display/PDM15/Attribute+Caching

and trying to figure out how to set the size of the cache and the TTL.

I'm going to go on record and say I hate Person Directory. The only way
I figure things out is by reviewing source:

https://github.com/Jasig/person-directory/blob/rel-1.5.0-RC6/person-directory-impl/src/main/java/org/jasig/services/persondir/support/CachingPersonAttributeDaoImpl.java

Good luck.

--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Socket error at high volumes

2013-09-11 Thread Marvin S. Addison


We are running one CAS server and are now in the
process of load testing the capability of CAS to match the load
volume tested when using only Banner BEIS authentication.


I responded to this post on cas-dev. Replaying here.

> Some on the team assess the situation as an indication that CAS can not
> keep up with the load.  Others suspect the tool itself, which must now
> contend with browser redirects while simulating a high volume of users.

We do quite a bit of load testing of our CAS infrastructure at Virginia 
Tech, and I can say from experience that tools and environment matter. 
That said I don't believe tools are suspect in this case.


> 2013-09-05 07:40:39,178 ERROR
> [org.jasig.cas.web.view.Saml10SuccessResponseView] -
> ClientAbortException:  java.net.SocketException: Broken pipe

This is happening at the moment CAS is attempting to send the SAML 1.1 
service validation response to the client. In my experience, and on many 
references on the Web as well, this particular error occurs when the 
_client_ closes the connection during the write operation. That suggests 
that the problem is on the CAS client host, not the CAS server. The CAS 
client in this case is Banner/BEIS components.


> Is CAS incapable of accepting more than 250 simultaneous login attempts
> without failure?

Yes. Any modern, capable server hardware or VM platform should be able 
to accommodate that without even breaking a sweat.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Observed/known memory leaks?

2013-09-10 Thread Marvin S. Addison


had an aberrant issue yesterday with a
single user of a typically busy service looping on ST
request/validation after authentication (only one TGT).


What does the audit log say about the validations? If they were 
successful then it's almost certainly a problem with the CAS client 
and/or user agent. In almost every case of a redirect loop we've seen, 
the root cause was not the CAS server.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Java CASified Applications failing with 500 errors

2013-09-09 Thread Marvin S. Addison


6.Click on same application link. Error.

https://trial.acs.utah.edu/uo

fu/fin/Chartfield/?ticket=ST-673-wI4lj4NP6sobUmlGh1pR-cas-test1

That's almost surely some kind of configuration or integration mistake. 
Any time a ticket parameter is present, it should be in the context of a 
service parameter that describes the service for which it was issued. 
The fact that the ticket is expired seems like further support for this 
hypothesis; the ticket is likely vestigial from a previous access attempt.



For some reason the second time the application is accessed the
ticket is appended to the URL and the service ticket is no longer
valid resulting in a 500 error.


A 500 is the expected behavior for an invalid ticket. I'm open to the 
idea that a 401 or 403 error code is more appropriate -- I know that the 
behavior of throwing exceptions that are translated by the container to 
500 has caused confusion around here.



One of our developers has a designed a work around where he catches
the exception


Agreed that's not a pretty fix and likely doesn't address the root problem.


Any thoughts, ideas, are we doing something wrong?


I think you've got a configuration/integration problem particular to 
PeopleSoft. Beyond that I can't provide any suggestions since I don't 
have any PS experience. Anyone else?


Best,
M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS Server

2013-09-05 Thread Marvin S. Addison


Do we have any server available currently which we can buy.


Do you mean physical hardware or VM? I don't have either but I'm sure 
some consultant could come to your aid.



It should contain CAS Installed with couple of apps integrated.


You'd need to specify the applications.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] SAML-P support in CAS

2013-09-03 Thread Marvin S. Addison


Maybe I should have asked differently.  Is SAML 2.0 fully supported in CAS?


There is very limited support for SAML 2; enough for Google Apps and 
Salesforce integration. In terms of specifications, I believe we support 
the Web Browser SSO Profile over the HTTP POST binding (and possible 
also HTTP Redirect). We support signed messages but not signed 
assertions; there is no support for encryption.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] OpenKM Cas client how to adapt from jboss to tomcat

2013-09-03 Thread Marvin S. Addison


DEBUG org.jasig.cas.client.validation.Saml11TicketValidator -
Constructing validation url:
https://URLCASSERVER:8443/cas/samlValidate?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin%3FTARGET%3Dhttp%253A%252F%252FURLCASCLIENT%253A8080%252FOpenKM%252Flogo%252Flogin
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Retrieving
response from server.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Server
response: http://schemas.xmlsoap.org/soap/envelope/";>http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2013-09-02T21:36:13.944Z" MajorVersion="1"
MinorVersion="1" Recipient="http://URLCASCLIENT:8080/OpenKM/logo/login";
ResponseID="_14ce5945f0cce6759da22bafb98facd4">http://URLCASCLIENT:8080/OpenKM/logo/loging.lemaireurn:oasis:names:tc:SAML:1.0:cm:artifacthttp://www.ja-sig.org/products/cas/";>DEMOVILLEg.lemaireurn:oasis:names:tc:SAML:1.0:cm:artifact
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter -
Successfully authenticated user: g.lemaire
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter -
Redirecting after successful ticket validation.


That much indicates a successful CAS authentication; your SAML attribute 
response even contains attributes that presumably are required for 
authorization. Everything following is a matter of CAS-OpenKM 
integration, and I can't provide any help in that regard.



DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated:
http://URLCASCLIENT:8080/OpenKM/logo/login?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin
DEBUG com.openkm.core.UINotification - *** Clean UI notification ***
DEBUG com.openkm.servlet.frontend.UINotificationServlet - clean()


Anyone else have any experience with OpenKM?

Thanks,
M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] OpenKM Cas client how to adapt from jboss to tomcat

2013-09-02 Thread Marvin S. Addison


I try to apply the old configuration to the new but having some trouble
(the ldap part is operational, but not the auth via CAS-client). The cas
server is unchanged.


Just to confirm, the CAS server should not change when porting a CAS 
client application from one container to another.



  
   
 
   org.jasig.cas.client.validation.Saml11TicketValidator
   https://URL:8443/cas/
   https://URL:8443/OpenKM/
   UserRole
   roleAttributeNames
   CallerPrincipal
   Roles
   true
   2
   480
 
   



Are you actually using the role-based authorization? You've set 
roleAttributeNames but the value doesn't look right to me. That should 
be an LDAP attribute name or database field containing role data; e.g. 
"memberOf", "eduPersonAffiliation".



I've tried lot of things but without success,


It's unclear whether you're getting deployment errors or the application 
doesn't work the same way on Tomcat. I can imagine that if you want to 
translate the JAAS role-based authorization to Spring Security, that 
will be the most difficult task in porting. If you're running into 
errors, please post those; it will help draw attention to particular 
problems.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] SAML-P support in CAS

2013-09-02 Thread Marvin S. Addison




New to CAS and looking into the CAS 3.5.2 version.  Is the SAML-P
supported?  If not in the 3.5.x is it supported in any other
version?


Not familiar with SAML-P; can you cite a reference to the spec? I'm
almost certain the answer is that it's not supported and is not planned,
but SAML support is something that would be reasonable to improve in
future versions (e.g. 5.x).

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] 'CAS is Unavailable' sometimes...

2013-09-02 Thread Marvin S. Addison


I have see that there was a ticket for that problem :
https://issues.jasig.org/browse/CAS-1051 and I've got a question : are
transactions rollbacked are replayed to try to resolve the ephemeral
problem ?


I'm not aware of any database platform that replays deadlocked 
transactions. All the ones I've used or tested abort both transactions 
when a deadlock is detected. I've not worked with MySQL on this problem, 
but I am fairly certain it works like the others.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] ClearPass on 3.5.2

2013-08-19 Thread Marvin S. Addison


2013-08-19 09:16:33,758 ERROR [org.jasig.cas.client.util.XmlUtils] -
org.xml.sax.SAXParseException; Premature end of file.


Reads like a Spring XML configuration syntax error. Post the redacted 
file(s) and we'll take a look.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] memcache ticket registry error

2013-08-12 Thread Marvin S. Addison


FWIW, my take on that is that hitting just the login page is so
infrequent the resources wasted would be trivial compared to the
complexity of non-intuitive behavior.  Just my $0.05.


It seems worthwhile to note that the behavior you'd like will be the 
default in CAS 4.0:


https://issues.jasig.org/browse/CAS-1219

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] ticketRegistryCleaner

2013-08-09 Thread Marvin S. Addison


I'd like clarification whether ticketExpirationPolicies.xml still
applies, that is a completely separate policy to configure where one
needs to configure both.


You should configure both cache expiration/eviction semantics and CAS 
ticket expiration policy. For service tickets it's pretty easy to 
configure both such that they're semantically equivalent; set the TTL on 
the cache entry to equal the absolute expiration period of a ticket. For 
ticket-granting tickets, on the other hand, you can implement more 
complex policies than that of a simple cache entry TTL. If you're using 
the default sliding expiration policy for TGTs, then you'd want the 
cache TTL to equal the maximum lifetime of a ticket. The sliding window 
should be substantially less than the maximum lifetime; for example 8h 
maximum and 2h sliding window.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] fault-tolerant/redundant/HA CAS deployment

2013-08-08 Thread Marvin S. Addison


My (limited and possibly inaccurate) understanding of memcached,
specifically the client implementation for CAS, is that a particular key
is hashed, and based on the outcome of that, the client looks for it on
a specific node. So I'm not sure what good a copy of the data on another
node will do if the client doesn't know to look for it there?


That's absolutely correct. I suppose you could copy the downed node's 
data to _every_ other memcached host to ensure the data would be found, 
but that sounds absurd at face value.



Do you specifically pick the other node to transfer it to based on
calculating what the backup node hash would be for the failed node?


Hmm, I suppose that's possible, but it sounds non-trivial to implement. 
Unless there's a canned tool for such a thing that is aware of common 
memcached hashing algorithms, I would estimate development at 
challenging. On the other hand it sounds useful for extremely highly 
available deployments (most don't fall into that category).



in a failure mode, does the client actually try to do an initial read
from the backup node, or just write out new data to it?


Some operation has to occur to flag the node as failed; it can be either 
a read or write. As long as the node is flagged down, operations will 
happen on a backup node. All this provided you have failover enabled on 
the client.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] MemcacheTicketRegistry documentation question

2013-08-08 Thread Marvin S. Addison


I'm following the docs at
https://wiki.jasig.org/display/CASUM/MemcacheTicketRegistry to
implement an memcached ticket registry.


Check out the following:
http://jasig.github.io/cas/installation/Memcached-Ticket-Registry.html

Although that's targeted at CAS 4.0, the configuration for memcached 
components hasn't changed from 3.5.x.



2013-08-07 13:32:39,614 ERROR
[org.jasig.cas.web.init.SafeContextLoaderListener] -
SafeContextLoaderListener: The Spring ContextLoaderListener we wrap
threw on contextInitialized. But for our having caught this error,
the web application context would not have initialized.
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException:
Line 39 in XML document from ServletContext resource
[/WEB-INF/spring-configuration/ticketRegistry.xml] is invalid; nested
exception is org.xml.sax.SAXParseException; lineNumber: 39;
columnNumber: 8; cvc-complex-type.2.3: Element 'bean' cannot have
character [children], because the type's content type is
element-only.


Reads like you've got malformed XML. Hopefully the documentation cited 
above will help. If you're still running into problems like above, post 
the file (redacted) and I'll take a look.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Show of hands – clustering? Which backend?

2013-08-08 Thread Marvin S. Addison


I'm still reviewing the clustering options for CAS, I haven't been able
to get a feeling for how popular each option is.


There's enough consensus among long-time deployers to go with a 
cache-based backend that I'm going with simply recommending it outright 
for HA deployments:


http://jasig.github.io/cas/planning/High-Availability-Guide.html


If you are currently
clustering CAS, could I trouble you just to reply with which backend you
are using?


Memcached, no repcache. I went to a fair bit of trouble to justify why 
memcached alone is sufficient for most HA setups. Please read the 
following documentation, particularly the "High Availability 
Considerations" section:


http://jasig.github.io/cas/installation/Memcached-Ticket-Registry.html

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] cas throttling

2013-07-26 Thread Marvin S. Addison


Hmm, it doesn't seem reasonable for an authentication system to not be
throttled. Any ideas on why it's not on by default?


I attempted to provide an explanation here:

http://jasig.github.io/cas/planning/Security-Guide.html#login_throttling

Short answer: in terms of security, throttling is best applied to 
back-end authentication stores directly. Use the CAS feature as a 
second-best approach. Keeping it off by default seems consistent with 
that advice.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Permgen Error on Tomcat

2013-07-25 Thread Marvin S. Addison


Has anyone else seen such behavior?


See it all the time. The root cause is dangling object references that 
pin the parent class loader and all the classes it loaded on startup. 
For non-trivial apps that is typically a lot of data. Since class 
definitions are placed in the PermGen slot of the JVM, it quickly fills 
up on repeated Webapp deploys. Increasing PermGen size only delays the 
inevitable.


This comes up occasionally but it's genuinely a difficult problem. It is 
feasible to track down all the places where we might leak resources 
(e.g. thread locals) in CAS, but the problem is fairly intractable when 
considering the myriad libraries on which CAS depends. The Spring 
Framework and Hibernate are two huge dependencies; there are many 
others. It's easier to simply deploy CAS in a Tomcat instance by itself 
and restart the container as part of redeployment. I believe most CAS 
deployers do this; we certainly do.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] spammed by same email

2013-07-23 Thread Marvin S. Addison


It's bad that the users do not know how to behave properly as part of
a public list, but it's worse that it is tolerated.


Friendliness is a value of the CAS Community; tolerance is a natural 
outcome of that value. In most cases of list backscatter we remove the 
person and send a friendly note. Out-of-office automatic responses, 
which represent the vast majority of list spam, go directly to the 
poster. There is absolutely nothing we can do in that case.


This case was pretty extreme and my only regret was not acting sooner. 
I'll be moving to get admin privileges on the list software so that 
there will be one more active member who can take action when needed.


Apologies folks.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] spammed by same email

2013-07-23 Thread Marvin S. Addison


I currently get spammed by tons of emails with subject "AUTO: Zbynek =
Vavros is prepared for DELETION (FREEZE)" from the cas-user list.

Can someone please stop this?


I've put in two requests already to email-ad...@lists.jasig.org to 
forcibly remove this user from the list. I haven't heard back yet, but 
if anyone has admin privs to do it (I do not), please jump in. We're in 
a bad way and need relief immediately. This is the worst I've ever seen.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Is SNI supported ?

2013-07-10 Thread Marvin S. Addison


We configure ours servers with SNI (Server Name Indication). It seems
that CAS 3.5.2 doesn't support it yet.


Has nothing to do with CAS. It's supported at the TLS protocol stack 
level, which is provided by the Sun JSSE stack by default. The JSEE that 
ships as part of the Java 7 SDK appears to support it:


http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html

Also, there was a recent update to the SSL reference docs on the wiki 
that mentioned SNI:


https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide

Hope that helps,
M


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] closing your browser message

2013-07-09 Thread Marvin S. Addison


It was suggested on the shib-users mailing list that we should change
cookie expiration policies from "expires at end of session" to "expires
at time XYZ". At least browsers will honor a time-based expiration, for
now!


Thanks for sharing this. Sounds like something we should investigate. 
Created issue to track:


https://issues.jasig.org/browse/CAS-1324

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] closing your browser message

2013-07-09 Thread Marvin S. Addison


Andrew Petro suggested either

1) Changing the message to tell users to logoff from the OS or lock screen
when they want to leave their seats.

2) A coronal mass ejection


Big +1 for #2. One question though, how do we order up those on demand? 
Wait, send me the answer privately. I'm pretty sure we have a golden 
business opportunity here ;)


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Announcing CAS 4.0.0-RC1

2013-07-08 Thread Marvin S. Addison

CAS 4.0.0 release candidate #1 is available for testing and evaluation. 
We heartily encourage early adopters to grab this release from Maven 
Central, integrate into your environment, and provide feedback.


Notable features of CAS 4:

* Framework for multi-factor authentication
* Improved protocol support (OAuth, CASv3)
* Improved password expiration support

The work-in-progress documentation for CAS 4 is available at 
http://jasig.github.io/cas/.


Best,
Marvin

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] ehCache, heap, timeouts?

2013-07-08 Thread Marvin S. Addison


are you running memcache plain on each of the three nodes?


Yes, one on each CAS node, no repcache. I am working to dispel the 
notion that repcache is required or even beneficial for 
MemCacheTicketRegistry. See the discussion here for more info:


http://jasig.github.io/cas/installation/Memcached-Ticket-Registry.html


Is your ticketRegistry configured then to refer to all three
nodes, such that in a load balanced situation, server 3 would be able
to read a ticket in server 1's cache?


Yes, and that is the recommended architecture.


Also just to be clear, in case I have the quartz scheduler still
running -- I don't need it, correct? ehCache should be removing
objects on its own?


Correct, you do not need TicketCleaner for cache-based registries that 
have a natural notion of entry expiration.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Why is proxying so complicated?


Can you give an example of what you mean with "various policies"?


The CAS service manager ships with the ability to explicitly deny
proxy capability to registered services. We make healthy use of this
feature at Virginia Tech. I'm sure I could invent additional policies
if pressed.


IIUC you control CAS, but you don't control the implementation of the
registered services, right?


In practice you control both, since registered service components are 
part of the CAS server. In order to implement additional proxy 
authentication controls, one strategy would be to add additional 
registered service metadata that is enforced by other CAS components.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] single sign out - register during the validation stage?


In detail, we ran into a sign-out problem when the business
application is clustered behind a load balancer:
http://comments.gmane.org/gmane.comp.java.jasig.cas.devel/1495


Note we will ship rudimentary support for front-channel single sign-out
in CAS 4:

https://issues.jasig.org/browse/CAS-1292


My code changes are:

1) When business machine validations a ServiceTicket
(Cas20ProxyReceivingTicketValidationFilter) it send an extra custom
parameter, representing the internal IP of this business machine



2) When CAS server receives such validation request, it keeps track
of this internal IP (in some datastructre that associates it with the
Service Ticket)



3) When logout occurs, a notification is send to those registered IPs
(in CAS HttpClient)


Sounds reasonable. Keep in mind that you will get hostname verification
failures sending requests to https endpoints by IP address without
special handling.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] EhCache sync & service ticket doesn't exist


We have two nodes who are running CAS server 3.5.1 and EhCache 2.6.

One node create the serviceTicket and the second node attemps to validate the 
ST.

I can see in the logs that the second node receive the ST via RMI but 
CentralAuthenticationServiceImpl said that the ST does not exist.


I see you're using RMISynchronousCacheReplicator for the service ticket 
cache, which I would expect to guarantee synchronous replication (i.e. 
ticket creation blocks until synchronization completes successfully). I 
wonder if the ticket is expiring prior to validation. Have you tested 
increasing the service ticket expiration timeout? If that doesn't help, 
then I would imagine it's an Ehcache configuration issue for which 
you'll get better support on the Ehcache forums. Please follow up here 
if/when you figure it out.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Why is proxying so complicated?


and start to slowly understand how proxying works, but I still don't
understand why it has to be so complicated?


Andrew Petro is our resident expert on proxying, so I'm sure he could 
provide a thoughtful answer. I'll take a shot, though, for what it's worth.



Why isn't it possible to forward the service ticket to another
application and allow this other application to validate this service
ticket a second (or third or ...) time?


Because we want CAS to broker the interaction between proxy requestor 
and proxy consumer. With CAS in the middle we have the opportunity to 
enforce various policies with regard to proxy chaining. In your example 
there's no explicit control over who handles the proxy ticket and no 
trusted authority to document the handlers. CAS acts a broker to control 
and record those interactions so, if proxying is allowed by policy, 
clients can trust the proxy chain and choose to accept or deny it.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] service management in 3.5.2


I've recently upgraded to 3.5.2 (from 3.5.0) and having trouble
accessing the service management page.
I get "There was an error trying to complete your request. Please notify
your support desk or try again."

While trying to debug it I get these on the cas.log


I see no error or stack trace. There should be a trace somewhere. Check 
catalina.out and the localhost log if you're running Tomcat. Post the 
stack trace when you find it.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] ehCache, heap, timeouts?

2013-07-03 Thread Marvin S. Addison


We are currently running a three node cluster with ehcache configured
to replicate to the other two nodes in the cluster. Going
memcache/repcache would put us in a 2 node cluster?


Not necessarily. The determining factor is the total amount of memory 
needed to store all ticket-granting and service tickets. The steady 
state number of service tickets is relatively low compared to 
ticket-granting tickets due to their typical short lifetime.


I encourage you to do some planning and testing, but our numbers may be 
helpful to start. We run memcached on each of our 3 CAS nodes with 256M 
allocated. Right now, one of our nodes is running 46M resident and ~400M 
virtual with about 3000 tickets (ST+TGT). I'm pretty sure most CAS 
deployments could live happily inside 512G memory inside one or two 
memcached nodes using the Kryo-based transcoder, which we use.


I took some time over the past several days to improve the memcached 
documentation for CAS 4, which I believe you'll find helpful:


http://jasig.github.io/cas/installation/Configuring-Ticketing-Components.html#memcached


I have adjusted the heap in jetty (ehCache in production) to 2G now
and we have been watching the memory usage over the last couple days.
I did notice a bit of a spike which I attached an gif of.


In working on the ticket registry docs for CAS 4, I realized that our 
Ehcache example was not configured for disk overflow. Have you 
configured that? I imagine it would be helpful for your situation. I 
would definitely investigate that before jumping ship yet again.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Maintaining a single session only and invalidate any old session on new session created using the same userid

2013-07-02 Thread Marvin S. Addison


I am wondering whether is there any mechanism in CAS, to be able to
Maintain a single session only at any point of time.


CAS provides no support for this feature out of the box, though you 
could theoretically extend CAS with this functionality. The core 
obstacle is that there is no facility to query for tickets by username; 
you would need to build that. Iterating over all tickets and checking 
for a match is O(n)/2 on average, which would likely incur unacceptable 
performance penalty. You could of course create your own TicketRegistry 
component that provided this mapping. You would then customize the login 
webflow to look for tickets by username and end the CAS session of any 
older sessions that match before creating a new session.


In order to develop this functionality you should be proficient in Java 
and familiar with the Spring Framework and Spring Webflow.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logging CAS activities

2013-07-02 Thread Marvin S. Addison


Hi, I am new to CAS. I want to find where I can find log files of CAS 
activities. I cannot find any log file under /webapps/cas/WEB-INF folder. 
Should I turn it on somewhere?


By default the cas.log file is written to the current working directory 
of the Java process in which the servlet container (i.e. Tomcat) is 
running. If you start the container with a startup script manually from 
the command line, the log file should be placed in the current directory 
where the command was issued. If you're launching it from a service 
control script, it would be platform specific.


You can tune the location of cas.log my modifying the 
/WEB-INF/classes/log4j.xml configuration file. See 
https://wiki.jasig.org/display/CASUM/Logging.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS logout ERROR

2013-07-02 Thread Marvin S. Addison




2013-07-02 11:30:45.228 WARN  [HttpClient] - Error Sending message to
url endpoint
[https://wqabfi12s:8065/issuer-bo/boe_acc;jsessionid=B54ABFB12058C257A089B295729ACAE9.233BD0C23123809224].
Error is [java.security.cert.CertificateException: No name matching
wqabfi12s found]


Note the sign out URL does not contain the fully-qualified DNS name. I
would imagine the SSL certificate on that host has the FQDNS name as the
certificate CN, which is most common. Java is very particular about
enforcing that the CN matches the DNS name, which is likely the root
cause of that error. Use fully-qualified hostnames when accessing
CAS-enabled services to avoid this error.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Problem with Active Directory CAS auth ("Unprocessed continuation reference")

2013-06-25 Thread Marvin S. Addison


I'm not clear on this though... Don't I want
ignorePartialResultException to be true so I do ignore it?


Apologies, that was a glaring typo. Indeed, you want the value to be 
true. Sorry for the confusion.



I don't understand what is happening in the log though. The first thing
it says is that it is performing an LDAP bind for my user's DN
("Performing LDAP bind with credential:
CN=chauvetp,OU=npuser,DC=active,DC=newpaltz,DC=edu"). Then it says I'm
successfully authenticated
"org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
[username: chauvetp]".


Ah, this is enlightening. It indicates that your handler configuration 
with p:ignorePartialResultException="true" is fine. It's likely your 
CredentialToPrincipalResolver that's causing problems. Unfortunately, 
there is no way to configure CredentialsToLDAPAttributePrincipalResolver 
to ignore partial result exceptions. You could easily extend it, though, 
to provide a setter for the underlying ldapTemplate, and then pass in an 
LdapTemplate [1] configured with ignorePartialResultException="true".


Hope that helps,
M

[1] 
http://static.springsource.org/spring-ldap/site/apidocs/org/springframework/ldap/core/LdapTemplate.html


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Problem with Active Directory CAS auth ("Unprocessed continuation reference")

2013-06-25 Thread Marvin S. Addison


My goal, if possible is to ignore and not chase referrals if at all
possible.


I must admit we don't provide very good referral handling. Typically you 
want to discard referrals and not even include them in the result set. 
Unfortunately that is not possible via JNDI environment parameters or 
via Spring LDAP. The ignorePartialResultException flag simply causes the 
PartialResultException to be swallowed when it occurs on reading the 
_first_ referral result out of a NamingEnumeration; it's the behavior 
that's closest to ignoring referrals altogether. But it's not the same. 
You have to assume that referrals come _after_ meaningful results, which 
is safe in practice but certainly not guaranteed by either Microsoft or 
the LDAP protocol. Under that assumption dropping referrals is the same 
as ignoring the exception, but it's worth noting the assumption because 
it may not hold in all cases.


Setting p:ignorePartialResultException="false" on the context source 
used for the search operation should be sufficient. Post your 
BindLdapAuthenticationHandler bean config, logs at DEBUG, and stack 
trace if you continue to have trouble.



Is there a filter of some sort I can use? Something different I can do
when searching?


Search the GC, as recommended earlier. It doesn't return referrals.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Inspektr single-line audit

2013-06-24 Thread Marvin S. Addison


Enough interest to file tickets (1) encouraging promotion to 1.0.8.GA
and (2) integrating into CAS 4.0?


Sounds beneficial, but fwiw we just wrote our own formatter. It was
trivially easy and allowed greater control over the output (server and
audit source fields are invariant and implied, so we dropped them). I
can imagine, though, the formatter that ships with latest Inspektr is
good enough for most folks.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Office 365, SAML2.0 and CAS

2013-06-20 Thread Marvin S. Addison


We've gone the O365 <-> ADFS <-> Shib <-> CAS route and although it can
be a bit of work to get configured, I think it's the best of both worlds
- full compatibility with Microsoft applications (including all the
desktop clients) through ADFS and compatibility with other Shibboleth
institutions (InCommon, etc). Here's some tips to get everything working
together - if you'd like more details let me know.


Thanks for sharing these details, Eric. I've been personally curious how 
you did things, and I'm sure other folks will benefit from the 
implementation sketch as well.


Best,
M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] HttpOnly cookie flag

2013-06-19 Thread Marvin S. Addison


Security hat on. Curious, any technical reason why the current CAS
server (3.5.x) does not appear to use HttpOnly on its CASTGC cookie?


This has nothing to do with CAS per se but the servlet spec level we're 
targeting. I believe we're officially 2.5 or 2.6, which doesn't support 
that flag [1].



Will it be available/implemented/as an option in 4.0?


I think it would be wise to consider. Targeting servlet 3.0 is JEE6, I 
believe, which supports HttpOnly [2]. Could you file a Jira issue?


Thanks,
M

[1] http://docs.oracle.com/javaee/5/api/javax/servlet/http/Cookie.html
[2] http://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Message in catalina.out

2013-06-17 Thread Marvin S. Addison


Jun 17, 2013 10:43:58 AM org.apache.catalina.tribes.io.XByteBuffer append
SEVERE: Discarded the package, invalid header


The above is the only abnormal message I see and it's not related to 
CAS. Looks like you're doing Tomcat clustering with the Tribes 
components and it's reporting a rejected message due to bad header.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Office 365, SAML2.0 and CAS

2013-06-17 Thread Marvin S. Addison


Is there any documentation about the configuration you described? I've
never worked with Shibolith, ADFS, or O365.


I'm not aware of any, but I honestly haven't looked very hard. We 
abandoned the integration effort I mentioned before we got to the point 
of developing a detailed implementation plan. I am aware that there are 
folks in the CAS community that have done this (USF), so maybe they can 
speak up.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Office 365, SAML2.0 and CAS

2013-06-17 Thread Marvin S. Addison


Has anyone ever used CAS 3.5.x to federate authentication for Office
365? My integration team is telling me that they have to use SAML 2.0
for Office 365.


I don't know of anyone has tried to use the SAML 2.0 support in CAS for 
O365 integration. In the cases I'm aware of (including plans we drew up 
ourselves), folks front Shib with CAS and do the following:


CAS <-> Shib <-> ADFS <-> O365

I believe you may be able to cut out ADFS, but it's likely less 
documented and a less well-trod path generally.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS and AD politics

2013-06-14 Thread Marvin S. Addison


I am using CAS 3.5.1 and Active Directory I would like to show message
like:

screen.blocked.header=Access Denied
screen.blocked.message=You've entered the wrong password for the user
too many times.  You've been throttled.
screen.warnpass.heading.today=Your password expires today!
screen.warnpass.heading.tomorrow=Your password expires tomorrow!
screen.warnpass.heading.other=Your password expires in {0} days.
screen.warnpass.message.line1=Please change your
password now.
screen.warnpass.message.line2=You will be redirected to your application automatically in 10 seconds.

How can I enable this?


See https://wiki.jasig.org/pages/viewpage.action?pageId=26149328

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Config JASIG CAS to work with SAML (Zendesk)

2013-06-14 Thread Marvin S. Addison


We asked Zendesk support and the answer is because the assertion being
sent from your SAML server isn't formatted correctly.


We would need a more specific description of why the assertion is not 
formatted correctly to provide further assistance.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS 4.0 ....

2013-06-13 Thread Marvin S. Addison


When will CAS 4.0 GA version become available?


Timeline here (subject to change):

https://wiki.jasig.org/display/CAS/CAS+Roadmap#CASRoadmap-CAS4.0MAJORRelease


Also is there a 4.0 release candidate available for download?


We missed our Monday, June 10 target date, but should cut an RC in next 
10 days. We'll post an announcement on this mailing list, so keep on the 
lookout.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Log rolling

2013-06-13 Thread Marvin S. Addison


I didn't go with DailyRollingFileAppender because of a comment in its
source recommending against using it for new deployments (some kind
of bug that loses log entries). The rolling.RollingFileAppender is
supposed to be an improvement.


Huh, news to me. We've used that component for every log4j-based
enterprise Java app we've deployed in the past 7 years and haven't had 
any issues with data loss or corruption. In any case I would appreciate 
your sharing a working roll+compress configuration if/when you get it 
working. I'm always looking for ways to improve and simplify operations, 
and getting rid of a cron job would one less thing to manage.


Thanks,
M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Log rolling

2013-06-13 Thread Marvin S. Addison


 
 
 
 
 
 
 
 
 
 


From the config above looks like you're trying to roll and compress in 
one shot, which I've never seen done. DailyRollingFileAppender works 
splendidly for rolling files on day boundaries:


  
  




  


  

We use an external cron job to compress logs older than 48h.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Access Governing

2013-06-12 Thread Marvin S. Addison


One of our needs is access
governing, that is, CAS controls who can and who cannot SSO to any of
our apps based on the users' role (faculty, staff and student) in the
institution.


CAS does not support centralized authorization policy. The model it 
supports out of the box is to release metadata about a user from the 
authentication system of record, and it is the responsibility of the 
relying part (CAS client) to enforce security policy based on that 
information. That said you could implement centralized access control by 
extending the ServiceRegistry component. Indeed, I believe such a system 
has been implemented by at least one member of the CAS community. (I 
recall Unicon did something of this sort for a school; maybe one of 
those folks can speak up with more info.)


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] MySQL Authentication

2013-06-12 Thread Marvin S. Addison


We are running CAS with MySQL as the backend. How can CAS be configured
to check the AccountEnabled field in the database and return a warning
to the user if there account has beendisabled. I can see this options
available for LDAP but would like to know if similar functionality is
included within CAS for MySQL.


We are working to provide support for this at the API layer for CAS 4.0, 
but there will be no support for that particular feature of MySQL out of 
the box.



Can anyone advise me on how to proceed?


The basic sketch is to extend QueryDatabaseAuthenticationHandler or 
SearchModeSearchDatabaseAuthenticationHandler to query that field and 
construct a suitable Message object that would be placed in the 
HandlerResult returned from AuthenticationHandler#authenticate(). The 
HandlerResult is preserved all the way back up the authentication API 
stack such that the WebFlow layer could react to it. Some source links 
to API components for review (in top-down order):


https://github.com/Jasig/cas/blob/feature-new-authn-api/cas-server-core/src/main/java/org/jasig/cas/authentication/AuthenticationManager.java
https://github.com/Jasig/cas/blob/feature-new-authn-api/cas-server-core/src/main/java/org/jasig/cas/authentication/Authentication.java
https://github.com/Jasig/cas/blob/feature-new-authn-api/cas-server-core/src/main/java/org/jasig/cas/authentication/AuthenticationHandler.java
https://github.com/Jasig/cas/blob/feature-new-authn-api/cas-server-core/src/main/java/org/jasig/cas/authentication/HandlerResult.java
https://github.com/Jasig/cas/blob/feature-new-authn-api/cas-server-core/src/main/java/org/jasig/cas/Message.java

I would encourage you to subscribe to cas-dev to follow the discussion 
about the new authentication API changes and CAS 4.0 development progress.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] {cas-usr} building from ground up

2013-06-11 Thread Marvin S. Addison


I haven’t even got CAS 3.5.1 installed yet….

I’m building my tomcat and am trying to follow the apache.org steps by
having downloaded and installed the JDK version 6u45 first.


Why are you building Tomcat from source? In my experience it's fairly 
tedious to build (at least from svn source due to copious use of svn 
externals) and in my experience the binary builds are entirely 
sufficient. Just trying to save you the headache of satisfying the Ant 
dependency and other headaches related to building Tomcat. You don't 
need Ant at all to build CAS using Maven WAR Overlay process.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] OutOfMemoryError running CAS 3.5.2 via Jetty


We are experiencing OutOfMemoryErrors with CAS running. This error that
I am including the trace of occurred within 8 hours of the service
startup which we are bouncing nightly at 4AM due to these memory issues.

Our hunch is that it has to do with the EhCache module but this is
currently only speculation


What evidence do you have for Ehcache? I don't see anything in the 
thread dump that suggests a problem there. In cases like these we 
typically enable the YourKit agent and capture periodic snapshots and 
then analyze them offline. If you've got a resource leak, that should 
help you find it. If you don't have access to YourKit, then the built-in 
JVM tool jmap can be used as a poor man's alternative.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS 3.4.10 LDAP authentication issues


I'm pointing our CAS to a new test server, running OpenLDAP 2.4. When I
enter an incorrect password, I get the message "CAS is Unavailable". If
I point it back to the old server, it's fine.


Very odd. There should be a stack trace in whatever log captures STDOUT 
for your servlet, which is catalina.out by default on Tomcat. Post the 
stack trace when you find it.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] LDAP StartTLS?


Looking into LDAP authN for CAS. On first read, the Spring
LdapContextSource (hence CAS) looks _not_ to support StartTLS.
Correct?


No, that is not correct. You can leverage Spring
ExternalTlsDirContextAuthenticationStrategy to inject an
SSLSocketFactory that handles startTLS. Here's a configuration snippet:

  

  

  

  

  

LdapTLSSocketFactory is a vt-ldap component, but there's a similar one
in ldaptive.

If you want to use ldaptive instead of Spring LDAP you could wait for
CAS 4.0 (which uses it natively) or check out
https://github.com/serac/cas-server-integration-ldaptive.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Apache alone or with tomcat?