RE: [cas-user] samlValidate fatal error

[Ourada, John]

Thank you!  Missed the TARGET parameter...

The page https://wiki.jasig.org/display/CASUM/SAML+1.1 could a slight mod to 
that fact :).

When I read this page 
https://sp.princeton.edu/oit/sdp/CAS/Wiki%20Pages/CAS%20samlValidate%20walkthrough.aspx
 , it was quite apparent, but I didn't see it :(

-John

-Original Message-
From: Andrew Morgan [mailto:mor...@orst.edu] 
Sent: Tuesday, November 27, 2012 1:02 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] samlValidate fatal error

>From my CAS PHP client debug log, here is what the handshake looks like:

CC76 .||||=> 
CAS_Client::_readURL('https://login.oregonstate.edu/cas/samlValidate?TARGET=http%3A%2F%2Fpeople.oregonstate.edu%2F%7Emorgan%2FCAS-1.3.1%2Ftest.php',
NULL, NULL, NULL) [Client.php:1748]
CC76 .|||||=> CAS_Client::_buildSAMLPayload() 
[Client.php:2432]
CC76 .|||||<= 'http://schemas.xmlsoap.org/soap/envelope/";>ST-80425-UvrgjbOmAeFWTLco2BOy-login2'


You can see the URL that it POSTed to and an example payload.

Andy

On Tue, 27 Nov 2012, Scott Battaglia wrote:

> I don't believe the SAML parameters are service and ticket.  Its 
> something like TARGET and SAMLart:
> https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java
> /org/jasig/cas/authentication/principal/SamlService.java
>
>
> On Tue, Nov 27, 2012 at 1:51 PM, Ourada, John  wrote:
>
>>  Originally we had a custom authenticator to authenticate against an 
>> internal authentication service.  As part of the customization, the 
>> person's university id was returned as part of the username 
>> (username:ID)*
>> ***
>>
>> ** **
>>
>> We moving to use MS-AD so I have started working on setting CAS up to 
>> use AD/LDAP.  I don't want to modify the LDAP authenticators to 
>> return the hacked username so I want to use SAML to get the 
>> University ID from AD.***
>> *
>>
>> ** **
>>
>> I am using 3.4.12 to test with and am using the uber-webapp war for 
>> now.**
>> **
>>
>> ** **
>>
>> I have LDAP working correctly using FastBind and am filling the 
>> Attribute
>> Repository.
>>
>> ** **
>>
>> SAML on the other hand isn't playing nice.  I am doing this all from 
>> my desktop (Windows 7) for now.
>>
>> ** **
>>
>> After authenticating a service, I am using Fiddler to post to the 
>> samlValidate service.
>>
>> ** **
>>
>> POST  à
>> https://140.192.89.33/cas/serviceValidate?ticket=ST-1-2acg0RAFuewme4D
>> Wnvi0-logintst.depaul.edu&service=http://www.depaul.edu/
>> 
>>
>> Headers:
>>
>> Host: 140.192.89.33
>>
>> Content-Length: 465
>>
>> Content-Type: text/xml
>>
>> SOAPAction: http://www.oasis-open.org/committees/security
>>
>> ** **
>>
>> Request Body:
>>
>> http://schemas.xmlsoap.org/soap/envelope/";>
>>
>> 
>>
>> 
>>
>> >
>> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>>
>> MajorVersion="1"
>>
>> MinorVersion="1"
>>
>> RequestID="_192.168.16.51.1024506224022"
>>
>> IssueInstant="2002-06-19T17:03:44.022Z">
>>
>> 
>>
>> ST-1-2acg0RAFuewme4DWnvi0-logintst.depaul.edu
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> ** **
>>
>> Unfortunately, I am getting 500 errors all the time.  I can 
>> successfully GET serviceValidate though with the same URL
>>
>> ** **
>>
>> What I see in the logs is:
>>
>> 2012-11-27 11:39:02,031 INFO
>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
>> >
>> =
>>
>> WHO: JOURADA
>>
>> WHAT: ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu for
>> http://www.depaul.edu/
>>
>> ACTION: SERVICE_TICKET_CREATED
>>
>> APPLICATION: CAS
>>
>> WHEN: Tue Nov 27 11:39:02 CST 2012
>>
>> CLIENT IP ADDRESS: 140.192.89.33
>>
>> SERVER IP ADDRESS: 140.192.89.33
>>
>> =
>>
>> ** **
>>
>>> ** **
>>
>> 2012-11-27 11:39:36,741 DEBUG
>> [org.jasig.cas.authentication.principal.SamlService] - > extract Request from HttpServletRequest.  Results:&

[cas-user] LDAP Configuration Question

[Ourada, John]

As part of our conversion to using LDAP against AD instead of a custom 
validator, I am thinking of the following and would like to run it by the group.

I am planning on using the FastBindLdapAuthenticationHandler since I only have 
one OU (People) in which to look and I don't need to any special searchs.

I am planning on retrieving attributes to be passed back via saml.

There will be two different contextSource's: one for 
FastBindLdapAuthenticationHandler and one for LdapPersonAttributeDao.

Does it makes sense and is it supported to use connection pooling for 
LdapPersonAttributeDao?

Also, does this setup seem like an appropriate setup, or should I consider 
using BindLdapAuthenticationHandler for Authentication.

BTW, I have not upgraded past 3.4.6 yet.

Thank you!
-John

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] LDAP Configuration Question

[Ourada, John]

If I understand correctly, I don’t supply the user-id/pw combination when using 
fast-bind authentication, but I need to provide it to obtain LDAP attributes, 
thus two different ContextSource’s: one with a userid/pw combination and one 
without.

-John

From: Modi Tamam [mailto:modi.ta...@gmail.com]
Sent: Sunday, December 09, 2012 9:07 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] LDAP Configuration Question

Why not to use the same contextSources ?
On Wed, Dec 5, 2012 at 11:40 PM, Andrew Morgan 
mailto:mor...@orst.edu>> wrote:
ere will be two different contextSource's: one for 
FastBindLdapAuthenticationHandler and one for



--
Best Regards
Mordechai Tamam

--
You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Log XML response to application server

[Ourada, John]

I am assuming that the third party won't share their code ??

My initial gut response was that they were maybe using a static variable 
somewhere to store the userid or that they didn't have caching set properly on 
their http request.

-John

-Original Message-
From: Tobias Quosigk [mailto:tquos...@kennesaw.edu] 
Sent: Tuesday, December 11, 2012 8:51 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Log XML response to application server

Thank you, Andy! I did consider changing the log levels to Debug, but decided 
to stay away that because it will store clear text user passwords in the log 
file on production.

In a nutshell, the third-party application provider claims that CAS is sending 
his application the same username for two different CAS tickets (and two 
different users). All logs on CAS show that it was two different users, each 
getting a unique ST. However, when the third-party application server validates 
the tickets and receives the responses at the exact same time (same time down 
to the millisecond), his log of the XML responses show that CAS returned the 
same user for two different tickets in the XML responses. 

I have only circumstantial evidence that CAS doesn't return the same username 
for different STs (from different users) so I can't 'prove' to the developer 
that it's not CAS. (I have other casified applications with exponentially 
higher volume that do not exhibit this issue).

Tobias



- Original Message -
From: "Andrew Morgan" 
To: cas-user@lists.jasig.org
Sent: Monday, December 10, 2012 6:17:51 PM
Subject: Re: [cas-user] Log XML response to application server

On Mon, 10 Dec 2012, Tobias Quosigk wrote:

> I'm in the process of diagnosing a potential issue with a third-party 
> application and it would help me tremendously, if I could turn on 
> logging for the XML response referenced below, specifically the 
> username that gets returned to the third-party application:
>
> [From https://wiki.jasig.org/display/CASUM/Technical+Overview] "CAS 
> receives and validates this secure server-to-server request, then 
> fulfills the application server's HTTPS CAS client request and returns 
> an XML message of "success" along with the authenticated username."
>
> I'm running CAS 3.4.10.

This doesn't give you the full XML, but have you looked at the audit log in 
CAS?  Here is an example of the log entry for a ticket validation:

2012-12-10 09:39:29,385 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail 
record BEGIN =
WHO: audit:unknown
WHAT: ST-471027-oySesJjITuWkeJUpOB2y-login1
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Mon Dec 10 09:39:29 PST 2012
CLIENT IP ADDRESS: 128.193.123.123
SERVER IP ADDRESS: login.oregonstate.edu 
=

You could also turn on DEBUG logging for (just a guess):

org.jasig.cas.web.support.CasArgumentExtractor
org.jasig.cas.web.support.SamlArgumentExtractor
org.jasig.cas.util

Or...  approach it from the networking side.  Run tcpdump to capture the 
traffic, then use Wireshark along with your CAS server's SSL cert and SSL key 
to decrypt the traffic and view it.

Andy

--
You are currently subscribed to cas-user@lists.jasig.org as: 
tquos...@kennesaw.edu To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] URL encoding and CAS

[Ourada, John]

We have similar problem with CAS authenticating with our PeopleSoft 
implementation when we want the client to go directly to a page within 
PeopleSoft. 

We weren't able to get CAS to come back with the service URL or TARGET URL when 
the url contained a parameter that was another URL with its own set of 
parameters.

I am not sure how web applications are supposed to interpret a url like this, 
but it seems that it could be hard to determine which url a particular 
parameter belongs after the url has been decoded.

Our solution was to use our own encoding scheme for the embedded url so that 
CAS or any other web app would interpret it as just a string value associated 
with a url parameter.

When CAS redirects back to PS, we decode the embedded url and then redirect 
back to ourselves with the decoded URL.  Somewhat of a hack, but couldn't find 
another way around it.  Storing the value in a cookie wouldn't have worked for 
us in this case.

-John

-Original Message-
From: Robert Ginsburg [mailto:rob...@ginsburg.me] 
Sent: Wednesday, February 13, 2013 12:40 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] URL encoding and CAS

As it's a fairly simple protocol, so the CAS client is my own code base. I am 
building a WSFederation bridge for ADFS that uses CAS for authentication. the 
"long urls"  are basically federation passive redirects from other ADFS 
servers. For example I want to retain this query string and path

wa=wsignin1.0&wtrealm=https%3a%2f%2fcassts.ginsburg.local%2fCASAuth%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fCASAuth%252f&wct=2013-02-13T17%3a27%3a32Z

So you would think I would simply append that to the query string parameter 
which would result in this (my cas server is cas.ginsburg.local and my 
federation proxy is cassts.ginburg.local)

https://cas.ginsburg.local/cas/login?TARGET=https%3a%2f%2fcassts.ginsburg.local%2fcasauth_sts%2f%3fwa%3dwsignin1.0%26wtrealm%3dhttps%253a%252f%252fcassts.ginsburg.local%252fCASAuth%252f%26wctx%3drm%253d0%2526id%253dpassive%2526ru%253d%25252fCASAuth%25252f%26wct%3d2013-02-13T18%253a25%253a5


If I do that, then the CAS redirect sends me back with this , to the right 
place but with a mangled URL, notice that parts of the query string are 
repeated. 

"https://cassts.ginsburg.local/casauth_sts/?wa=wsignin1.0&wtrealm=https:%2f%2fcassts.ginsburg.local%2fCASAuth%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fCASAuth%252f&wct=2013-02-13T18:30:44Z&TARGET=https:%2F%2Fcassts.ginsburg.local%2Fcasauth_sts%2F%3Fwa%3Dwsignin1.0%26wtrealm%3Dhttps%253a%252f%252fcassts.ginsburg.local%252fCASAuth%252f%26wctx%3Drm%253d0%2526id%253dpassive%2526ru%253d%25252fCASAuth%25252f%26

 This example only repeats once, I have seen it repeat up to 4 times (with 
different federation urls). For the moment what I have done is move the URL to 
a cookie before sending the request to CAS. That works fine but of course I 
have to refresh the URL after it comes back so it causes another round trip on 
my server.


Robert Ginsburg
rob...@ginsburg.me
(803) 467 - 3329


-Original Message-
From: Ohsie, David [mailto:david.oh...@emc.com]
Sent: Wednesday, February 13, 2013 10:26 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] URL encoding and CAS

Can you report which CAS client you are using and also post the URL that is in 
your browser address bar at the CAS login page or a log of the web server 
requests.

"Long" or "complex" URL's should be working without a problem.

david

-Original Message-
From: Robert Ginsburg [mailto:rob...@ginsburg.me]
Sent: Wednesday, February 13, 2013 9:28 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] URL encoding and CAS

I must admit to both being a CAS newbie but I have had a similar problem with 
CAS 3.51. I was unable to reliably get CAS to return complex URL's . By that I 
mean URLs that had fairly long accompanying  URL encoded query strings. I ended 
up pushing  the original URL in a client side cookie and restoring it on 
return. It does mean an extra redirect but the CAS service url is short and of 
course works fine.

Robert Ginsburg
rob...@ginsburg.me
(803) 467 - 3329


-Original Message-
From: Jeff Chapin [mailto:jeff.cha...@uni.edu]
Sent: Friday, February 08, 2013 5:39 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] URL encoding and CAS

All,

We have an enterprise reporting tool we have operating behind CAS.
This service has URLs that have 'special' characters in it -- ampersands, 
slashes, question marks, spaces, etc. This service handles some URL encoding 
just fine -- it does not mind replacing ' ' with %20, for instance.

When this application is placed behind CAS, however, CAS is modifying the URL 
-- it is URL encoding strangely.

For instance, if I wanted to hit:
https://example.com/analytics/saw.dll?dashboard&PortalPath=%2Fshared%2Deans%
2C%20Directors%2C%20Department%20Heads%2F_portal%2FAdmissions%20for%20DDDH

CAS is properly authing the user, and then releasing them to:
https://exampl

[cas-user] PrometheusAtlas and ISAPI

[Ourada, John]

Has anyone used the CAS ISAPI client and the Prometheus Atlas application?

If you have, would you be able to give me a short narrative of your experience?

Thank you!
-John

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] UC Davis ISAPI Client - Chrome - ERR_RESPONSE_HEADERS_TRUNCATED

[Ourada, John]

We are using Atlas Systems Ares product with our Library.

They only support an ISAPI filter for authentication.

We found the UC Davis ISAPI client to meet theirs and our needs.
(https://confluence.ucdavis.edu/confluence/display/IETP/CAS+ISAPI+Client)

Starting last Spring following a Chrome update we now get an error from
Chrome: ERR_RESPONSE_HEADERS_TRUNCATED

I tried to use Fiddler to see what was happening and it claims that the server 
is indeed returning buggy headers.

I have tried several times to contact the UC Davis IT support and have not 
heard anything back from them.  I called and sent a detailed e-mail.

This is only affecting Chrome, but using Fiddler, it seems that there is truly 
something wrong with the way that the http headers are returned.

To see this go to https://depaul.ares.atlas-sys.com/ares/ares.dll.

I see that Adam Causey reported the same issue on 9/26/2013 on gmane.org

-John
DePaul University



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] UC Davis ISAPI Client - Chrome - ERR_RESPONSE_HEADERS_TRUNCATED

[Ourada, John]

Thanks Tom!

I would like to use the .nat client, but this vendor uses an isapi filrer to 
provide sso with their customers.

We are very appreciative to have access to this client. As long as we know that 
something is or isn't happening. My internal clients are getting edgy with me 
and their is nothing that I can do.

If want assistance, I would be happy to try.

-John

Sent from Moxier Mail
(http://www.moxier.com)


- Original Message -
From: Tom Poage 
To: "cas-user@lists.jasig.org" 
Sent: 10/29/2013 5:10 PM
Subject: Re: [cas-user] UC Davis ISAPI Client - Chrome - 
ERR_RESPONSE_HEADERS_TRUNCATED



UC Davis is aware of the issue. A recent change in Chrome code uncovered
what looks to be an implementation bug in the ISAPI filter: the HTTP
protocol requires an empty line tailing the headers and the filter
apparently does not send one. Earlier Chrome code and other browsers
seem to be more forgiving of this; the new Chrome code enforces the
empty line, otherwise throwing the truncation error.

Cf. revision 202927 in
http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_stream_parser.cc?view=log#revHEAD

I'm not a Windows developer, so am trying to come up to speed on the
APIs to see what could be done with it. I have been in communication
with the original developer who suggested, if at all possible, using the
.NET CAS client.

Tom.

On 10/29/2013 10:02 AM, Ourada, John wrote:
> We are using Atlas Systems Ares product with our Library.
>
> They only support an ISAPI filter for authentication.
>
> We found the UC Davis ISAPI client to meet theirs and our needs.
>
> (*https://confluence.ucdavis.edu/confluence/display/IETP/CAS+ISAPI+Client*)
>
> Starting last Spring following a Chrome update we now get an error from
>
> Chrome: ERR_RESPONSE_HEADERS_TRUNCATED
>
> I tried to use Fiddler to see what was happening and it claims that the
> server is indeed returning buggy headers.
>
> I have tried several times to contact the UC Davis IT support and have
> not heard anything back from them.  I called and sent a detailed e-mail.
>
> This is only affecting Chrome, but using Fiddler, it seems that there is
> truly something wrong with the way that the http headers are returned.
>
> To see this go to https://depaul.ares.atlas-sys.com/ares/ares.dll.
>
> I see that Adam Causey reported the same issue on 9/26/2013 on gmane.org
>
> -John
>
> DePaul University
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> tfpo...@ucdavis.edu
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>


--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE:[cas-user] trimming user name

[Ourada, John]

Just out of curiosity, what do you have being defined as your 
"principalAttributeName" defined as? We are using sAMAccountName and I don't 
think I have seen that as an issue.  If I recall ...  I did that so that no 
matter what a person typed lower or upper, I got back what the account  should 
be otherwise I was having to uppercase the userid to match what was in PS 
before making use of it.

-John

From: Ted Fisher [mailto:tffi...@bgsu.edu]
Sent: Wednesday, November 13, 2013 9:18 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] trimming user name

We have been running CAS 3.5.0 for about a year now with LDAP as our 
credentials source.  Things are working very well for the most part.  One 
problem is that if a user has a space preceding their user name our LDAP 
accepts that and passes credentials.  This doesn't affect our Liferay portal, 
but when users hit anything in our Peoplesoft arena the CAS auth for that fails 
because of the space before the name (a space after the name is no problem).
So, we'd simply like to trim the user name before hitting the LDAP for 
credentials check.  But, I'm not sure what is the best (and simplest) way to do 
that.  I found CAS issue CAS-1260 which indicates that we could use Spring to 
accomplish this "via a specific Property Editor".  But, not being well versed 
in Java and even less with Spring I'm not clear on how exactly to accomplish 
what seems to be something that should be simple.

Any suggestions or pointers would be greatly appreciated.

Thanks.

Ted F. Fisher
Information Technology Services
Bowling Green State University
[Description: BGSU]




--
You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user<>

RE: [cas-user] Login Form Clears Fields When Attempting to Login

[Ourada, John]

The problem could be that the sessionid is associated with only one server and 
the load balancer is redirecting to another server when the login/pw is posted. 
  When the userid/pw is posted, the sessionid is invalid, so tomcat sends the 
person back with a new sessionid and blank fields :-)  .  Doing the below test 
should indicate whether that might be the problem...

-John

-Original Message-
From: Michael Wechner [mailto:michael.wech...@wyona.com] 
Sent: Thursday, January 23, 2014 9:47 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Login Form Clears Fields When Attempting to Login

just to make sure that the load balancing is really not the problem, I would 
suggest to turn off one of the nodes and check whether she is still able to 
reproduce the issue. Or have you tried that already?

HTH

Michael

Am 23.01.14 16:35, schrieb Derek Lofstrom:
> We have a small pilot deployment that is currently being used by a handful of 
> users. One is claiming (and I've seen it) that several times a day, she will 
> attempt to login through the standard vanilla login form, but when she hits 
> Enter or presses the Login button, all the fields clear out and she has to 
> enter her credentials all over again. It does this 3 times before letting her 
> in, during which there are no messages regarding authentication failures or 
> the like. When I look through cas.log, there is only one login and subsequent 
> ticket granting event for her, corresponding to her last successful attempt.
>
> She is attempting to access the Manager's portal in Symplicity CSM using 
> Chrome, though I haven't been able to test it with any other browsers or 
> reproduce the behavior myself just yet (of course, it works perfectly fine 
> every time I access the resource).
>
> We have a two node CentOS 6 farm running CAS 3.5.2 with an Ehcache ticket 
> registry front-ended by a Kemp load balancer in a one-armed deployment. The 
> other node has no events for her other attempted logins. Anyone else ever 
> come across this behavior before?
>
> Thanks,
>
> Derek Lofstrom
> Senior Network Engineer
>
> NEW ENGLAND LAW | BOSTON
> 154 Stuart Street, Boston, MA 02116
> T 617.368.1432
> dlofst...@nesl.edu
> www.nesl.edu
>
> New England Law is one of the Boston Globe's 100 Top Places to Work
>
>


--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] LDAP: Bind vs FastBind

[Ourada, John]

I solved problem for us by using attributes.

Since I needed to return a few attributes anyway, I mapped the attribute 
'username' to a specific directory attribute.  In my case, this has the effect 
of returning the data from the directly instead of what the user typed.

It still requires that I configure an account that can retrieve the attributes 
once a user has successfully logged in.

-John

-Original Message-
From: Tom Poage [mailto:tfpo...@ucdavis.edu] 
Sent: Friday, February 21, 2014 2:14 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] LDAP: Bind vs FastBind

On 02/21/2014 05:24 AM, Whittaker, Geoffrey wrote:
> What are the benefits of FastBind over Bind.  Are there any security 
> issues I should be aware of if I use FastBind?

With the general case-insensitive nature of LDAP queries, we discovered the 
need to 'normalize' and filter the username when using "fast bind"
(not AD).

The username/principal is exposed through service ticket validation as entered 
at the login page, so if the client enters "Fred" one time and "FRED" another, 
it'll match the same LDAP entry, but to any case-sensitive app downstream, it 
looks like two different clients.

Ended up implementing a CredentialsToPrincipalResolver:

> protected String extractPrincipalId(final Credentials credentials) {
> final UsernamePasswordCredentials usernamePasswordCredentials = 
> (UsernamePasswordCredentials) credentials;
> return usernamePasswordCredentials.getUsername().trim().toLowerCase();
> }

See my post from November 13, 2013 for details (added trim() since).

A newer version of ldaptive also encodes the argument so someone can't try any 
funny stuff with the bind DN.

Tom.

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] LDAP: Bind vs FastBind

[Ourada, John]

I am not a good source for doing things in java in CAS.  I haven't done any 
real java coding.  I am running pretty much delivered code.  The only thing I 
have modified is jsp files and configuration files.

Depending on what is returned by that attribute, you could fix it in the 
casServiceValidationSuccess.jsp file.

I modified that file to return attributes based on someone else's documentation 
on returning attributes. The issue that I had was how CAS returns the 
'memberOf' attribute.  I cleaned up the listing of 'memberOf' into something 
that could be used by downstream applications in this file.

Others would need to respond as the dangers of doing that...

From: Rex Roof [mailto:r...@wccnet.edu]
Sent: Friday, February 21, 2014 2:34 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] LDAP: Bind vs FastBind

we've been dealing with a similar problem and I was thinking about doing this.

One thing, though, we're using openldap and our "uid" attribute can contain 
multiple usernames associated with the user.   I've already scripted something 
that makes sure the primary username is first, but since I don't have that 
primary username in its own attribute I couldn't figure out how to return just 
that attribute as the username.

any idea how I might pop that first username off of our list of uids and use it 
as the primary username?


- Rex Roof
WCC Systems Engineer  mailto:r...@wccnet.edu>>
734-973-3478

On Fri, Feb 21, 2014 at 3:28 PM, Ourada, John 
mailto:jour...@depaul.edu>> wrote:
I solved problem for us by using attributes.

Since I needed to return a few attributes anyway, I mapped the attribute 
'username' to a specific directory attribute.  In my case, this has the effect 
of returning the data from the directly instead of what the user typed.

It still requires that I configure an account that can retrieve the attributes 
once a user has successfully logged in.

-John

-Original Message-
From: Tom Poage [mailto:tfpo...@ucdavis.edu<mailto:tfpo...@ucdavis.edu>]
Sent: Friday, February 21, 2014 2:14 PM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] LDAP: Bind vs FastBind

On 02/21/2014 05:24 AM, Whittaker, Geoffrey wrote:
> What are the benefits of FastBind over Bind.  Are there any security
> issues I should be aware of if I use FastBind?

With the general case-insensitive nature of LDAP queries, we discovered the 
need to 'normalize' and filter the username when using "fast bind"
(not AD).

The username/principal is exposed through service ticket validation as entered 
at the login page, so if the client enters "Fred" one time and "FRED" another, 
it'll match the same LDAP entry, but to any case-sensitive app downstream, it 
looks like two different clients.

Ended up implementing a CredentialsToPrincipalResolver:

> protected String extractPrincipalId(final Credentials credentials) {
> final UsernamePasswordCredentials usernamePasswordCredentials = 
> (UsernamePasswordCredentials) credentials;
> return usernamePasswordCredentials.getUsername().trim().toLowerCase();
> }

See my post from November 13, 2013 for details (added trim() since).

A newer version of ldaptive also encodes the argument so someone can't try any 
funny stuff with the bind DN.

Tom.

--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
jour...@depaul.edu<mailto:jour...@depaul.edu> To unsubscribe, change settings 
or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
r...@wccnet.edu<mailto:r...@wccnet.edu>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
jour...@depaul.edu<mailto:jour...@depaul.edu>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] LDAP: Bind vs FastBind

[Ourada, John]

Not java directly, but jsp.  It doesn't require recompiling anything.  I 
haven't gotten into the whole maven methods of maintaining my source. We have 
other products that we use for that.  I just modified the jsp code and place 
the file in the correct place...

Jsp is pretty easy to figure out.

Here is a snippet that I added to my file to cleanup the attributes.  You just 
need to know what the data looks like.  Are the id's separated by a comma or a 
semi-colon.  There should be a function that would split the value. You would 
have to do a little work to figure out exactly how to get the value that you 
want and then put it in the right place on the page.


   
  
  ${fn:escapeXml(attr.value)}
  
  

  
true
  

  
   






Take a look at the file and you will see where the userid is retrieved and 
placed.

It looks like this:
${fn:escapeXml(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.id)}

-John

From: Rex Roof [mailto:r...@wccnet.edu]
Sent: Friday, February 21, 2014 3:38 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] LDAP: Bind vs FastBind

does it definitely require java coding?  I'd hope I could do it in the 
configuration XML instead.


- Rex Roof
WCC Systems Engineer  mailto:r...@wccnet.edu>>
734-973-3478

On Fri, Feb 21, 2014 at 3:46 PM, Ourada, John 
mailto:jour...@depaul.edu>> wrote:
I am not a good source for doing things in java in CAS.  I haven't done any 
real java coding.  I am running pretty much delivered code.  The only thing I 
have modified is jsp files and configuration files.

Depending on what is returned by that attribute, you could fix it in the 
casServiceValidationSuccess.jsp file.

I modified that file to return attributes based on someone else's documentation 
on returning attributes. The issue that I had was how CAS returns the 
'memberOf' attribute.  I cleaned up the listing of 'memberOf' into something 
that could be used by downstream applications in this file.

Others would need to respond as the dangers of doing that...

From: Rex Roof [mailto:r...@wccnet.edu<mailto:r...@wccnet.edu>]
Sent: Friday, February 21, 2014 2:34 PM

To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] LDAP: Bind vs FastBind

we've been dealing with a similar problem and I was thinking about doing this.

One thing, though, we're using openldap and our "uid" attribute can contain 
multiple usernames associated with the user.   I've already scripted something 
that makes sure the primary username is first, but since I don't have that 
primary username in its own attribute I couldn't figure out how to return just 
that attribute as the username.

any idea how I might pop that first username off of our list of uids and use it 
as the primary username?


- Rex Roof
WCC Systems Engineer  mailto:r...@wccnet.edu>>
734-973-3478

On Fri, Feb 21, 2014 at 3:28 PM, Ourada, John 
mailto:jour...@depaul.edu>> wrote:
I solved problem for us by using attributes.

Since I needed to return a few attributes anyway, I mapped the attribute 
'username' to a specific directory attribute.  In my case, this has the effect 
of returning the data from the directly instead of what the user typed.

It still requires that I configure an account that can retrieve the attributes 
once a user has successfully logged in.

-John

-Original Message-
From: Tom Poage [mailto:tfpo...@ucdavis.edu<mailto:tfpo...@ucdavis.edu>]
Sent: Friday, February 21, 2014 2:14 PM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] LDAP: Bind vs FastBind

On 02/21/2014 05:24 AM, Whittaker, Geoffrey wrote:
> What are the benefits of FastBind over Bind.  Are there any security
> issues I should be aware of if I use FastBind?

With the general case-insensitive nature of LDAP queries, we discovered the 
need to 'normalize' and filter the username when using "fast bind"
(not AD).

The username/principal is exposed through service ticket validation as entered 
at the login page, so if the client enters "Fred" one time and "FRED" another, 
it'll match the same LDAP entry, but to any case-sensitive app downstream, it 
looks like two different clients.

Ended up implementing a CredentialsToPrincipalResolver:

> protected String extractPrincipalId(final Credentials credentials) {
> final UsernamePasswordCredentials usernamePasswordCredentials = 
> (UsernamePasswordCredentials) credentials;
&

RE: [cas-user] non-sso service

[Ourada, John]

If I understand correctly how CAS works   When you authenticate, a TGT and 
ST are created, period.  Each service can be configured as to whether it honors 
the TGT or requires another user/pw verification.  I don't think you can 
prevent the creation of the TGT.

-John



From: Michael Herring [mailto:herri...@denison.edu]
Sent: Wednesday, February 26, 2014 12:30 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] non-sso service

Unless I'm missing something fundamental I think this is as simple as 
unchecking the "SSO Participant" checkbox on the Edit Service page of the 
Services Management. This functionality is present in CAS 3.5.x (and possible 
earlier).

HTH,
-Michael

On Wed, Feb 26, 2014 at 11:59 AM, wallace 
mailto:wallace.neik...@wright.edu>> wrote:
Is there any way to add a service to CAS that does NOT participate in SSO, but 
still gets challenged by CAS for credentials?

CAS would be responsible for collecting our credentials, but not allowing SSO 
to occur for the other services defined to CAS.

I guess it would be ... the app gets a service ticket, but not a granting 
ticket.

Is this possible?


--
You are currently subscribed to 
cas-user@lists.jasig.org as: 
herri...@denison.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--
Michael Herring
Information Technology Services
Web Developer
Denison University
740-587-6360
herri...@denison.edu

--
You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: RE:[cas-user] non-sso service

[Ourada, John]

If a service doesn't participate in sso, then it doesn't honor the TGT in that 
it will require that CAS gets a new TGT.

If SSO is disabled on B, but not on A.  consider the following.

User requests access to A, supplies credentials, then requests access to B.  
They must again supply credentials.
But, If user requests access to B first, supplies credentials, then requests 
access to A, then SSO works and user doesn't supply credentials.

Every authentication creates an SSO TGT token, It is up to the service to make 
use of the SSO TGT token or request that the user re-supply credentials.  You 
are first authenticating to CAS.  CAS can pass that authentication on to other 
services

In your case, you don't want the SSO TGT token to be created.  That isn't CAS.

-John

-Original Message-
From: wallace [mailto:wallace.neik...@wright.edu] 
Sent: Wednesday, February 26, 2014 1:10 PM
To: cas-user@lists.jasig.org
Subject: RE:[cas-user] non-sso service

ah-ha, another cas instance where nothing is sso enabled.
that's interesting, we'll give that a try -- thanks. 

Also, the login/out mod -- we're trying to avoid any code changes.

Last comment, ...
"
Each service can be configured as to whether it honors the TGT or requires 
another user/pw verification.  
"
How do you configure a service that does not honor the tgt ???
I would think it would be un-check the sso box, but that doesn't work. Unless, 
our cas configs are not right ??

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

[Ourada, John]

In my case, I did it in the tomcat server.xml
Ip addresses redacted.

  
From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Tuesday, April 15, 2014 2:36 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

It looks good to me. No way to ouput incoming headers with a Tomcat Valve or 
Apache layer? Before contacting network guys...
Best regards,
J2rôme


2014-04-14 19:28 GMT+02:00 Ben Branch mailto:bbra...@uco.edu>>:
All,

Recently attempted to configure Inspektr to try and capture the client ip 
address out of the X-Fowarded-For Header.  After making this change and 
restarting the services, I’m still seeing the client IP address of the load 
balancer instead of the actual client IP.  This is what I added to my web.xml:


CAS Client Info Logging Filter

com.github.inspektr.common.web.ClientInfoThreadLocalFilter

alternativeIpAddressHeader
X-Forwarded-For



Is there anything else I need to do?  Or should I contact my network guys and 
begin troubleshooting at the load balancer?

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | 
www.uco.edu

“I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know.”  - Socrates


**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and 
Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information. Any unauthorized 
disclosure or use of this information is prohibited.

--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
lel...@gmail.com

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

[Ourada, John]

For us, our security team wants to log all access to the system not just 
authentication attempts. Their is logging that occurs at the tomcat layer for 
that already so the valve made sense.

The same type of change is done for other systems including iis, apache.

-john

-John

Sent from Moxier Mail
(http://www.moxier.com)


- Original Message -
From: "Whittaker, Geoffrey" 
To: "cas-user@lists.jasig.org" 
Sent: 04/17/2014 7:12 AM
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address



I have access to the entire system.  But, I’m only knowledgable to enough to be 
dangerous.  I don’t want to introduce something that has security consequences 
downstream.

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Thursday, April 17, 2014 4:09 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, it depends on your organization, habits... Maybe you don't have access 
to the Tomcat configuration and your ops don't want to setup the Valve: you 
need to update ClientInfoThreadLocalFilter...
Personally, I'm a developer, I like to work at the application level.
Best regards,
Jérôme



2014-04-16 21:06 GMT+02:00 Whittaker, Geoffrey 
mailto:geoff.whitta...@unf.edu>>:
What is the best practice for accomplishing this task?

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 11:13 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, the Tomcat Valve is not a good idea as the header is moved to the IP 
address and deleted. If you use the Tomcat Valve, you don't need any specific 
configuration in your filter...
Best,
Jérôme


2014-04-15 17:00 GMT+02:00 Ourada, John 
mailto:jour...@depaul.edu>>:
In my case, I did it in the tomcat server.xml
Ip addresses redacted.

  
From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 2:36 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

It looks good to me. No way to ouput incoming headers with a Tomcat Valve or 
Apache layer? Before contacting network guys...
Best regards,
J2rôme


2014-04-14 19:28 GMT+02:00 Ben Branch mailto:bbra...@uco.edu>>:
All,

Recently attempted to configure Inspektr to try and capture the client ip 
address out of the X-Fowarded-For Header.  After making this change and 
restarting the services, I’m still seeing the client IP address of the load 
balancer instead of the actual client IP.  This is what I added to my web.xml:


CAS Client Info Logging Filter

com.github.inspektr.common.web.ClientInfoThreadLocalFilter

alternativeIpAddressHeader
X-Forwarded-For



Is there anything else I need to do?  Or should I contact my network guys and 
begin troubleshooting at the load balancer?

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | 
www.uco.edu<http://www.uco.edu/>

“I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know.”  - Socrates


**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and 
Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information. Any unauthorized 
disclosure or use of this information is prohibited.

--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
lel...@gmail.com<mailto:lel...@gmail.com>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--



You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
jour...@depaul.edu<mailto:jour...@depaul.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
lel...@gmail.com<mailto:lel...@gmail.com>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-us

RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

[Ourada, John]

Did you try the valve that I put in tomcat server.xml?

From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu]
Sent: Tuesday, April 22, 2014 3:08 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

@bbra...@uco.edu<mailto:bbra...@uco.edu>

Did you ever get this resolved?  I tried to use the same setup and from what I 
can find online, that should work.  But, I'm still getting the netscaler IP in 
the logs.

Geoff

From: Ourada, John [mailto:jour...@depaul.edu]
Sent: Thursday, April 17, 2014 9:41 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address


For us, our security team wants to log all access to the system not just 
authentication attempts. Their is logging that occurs at the tomcat layer for 
that already so the valve made sense.



The same type of change is done for other systems including iis, apache.



-john



-John



Sent from Moxier Mail

(http://www.moxier.com)





- Original Message -

From: "Whittaker, Geoffrey" 
mailto:geoff.whitta...@unf.edu>>

To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>" 
mailto:cas-user@lists.jasig.org>>

Sent: 04/17/2014 7:12 AM

Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address




I have access to the entire system.  But, I'm only knowledgable to enough to be 
dangerous.  I don't want to introduce something that has security consequences 
downstream.

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Thursday, April 17, 2014 4:09 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, it depends on your organization, habits... Maybe you don't have access 
to the Tomcat configuration and your ops don't want to setup the Valve: you 
need to update ClientInfoThreadLocalFilter...
Personally, I'm a developer, I like to work at the application level.
Best regards,
Jérôme



2014-04-16 21:06 GMT+02:00 Whittaker, Geoffrey 
mailto:geoff.whitta...@unf.edu>>:
What is the best practice for accomplishing this task?

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 11:13 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, the Tomcat Valve is not a good idea as the header is moved to the IP 
address and deleted. If you use the Tomcat Valve, you don't need any specific 
configuration in your filter...
Best,
Jérôme


2014-04-15 17:00 GMT+02:00 Ourada, John 
mailto:jour...@depaul.edu>>:
In my case, I did it in the tomcat server.xml
Ip addresses redacted.

  
From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 2:36 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

It looks good to me. No way to ouput incoming headers with a Tomcat Valve or 
Apache layer? Before contacting network guys...
Best regards,
J2rôme


2014-04-14 19:28 GMT+02:00 Ben Branch mailto:bbra...@uco.edu>>:
All,

Recently attempted to configure Inspektr to try and capture the client ip 
address out of the X-Fowarded-For Header.  After making this change and 
restarting the services, I'm still seeing the client IP address of the load 
balancer instead of the actual client IP.  This is what I added to my web.xml:


CAS Client Info Logging Filter

com.github.inspektr.common.web.ClientInfoThreadLocalFilter

alternativeIpAddressHeader
X-Forwarded-For



Is there anything else I need to do?  Or should I contact my network guys and 
begin troubleshooting at the load balancer?

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | 
www.uco.edu<http://www.uco.edu/>

"I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know."  - Socrates


**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and 
Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain 
confidential

RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

[Ourada, John]

It might be worth just trying to see if that works.  I didn't do that method so 
I can't comment on it.

It is just a matter of adding the one valve to your server.xml in the conf 
folder.

It is the 2nd item under the  tag.  The  
tag is first.   At least that is what I did.

I am not an expert either.  I just looked up documentation on tomcat valves and 
found the remoteip valve and followed the instructions.

-John

From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu]
Sent: Wednesday, April 23, 2014 6:55 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

No, I was trying to get the filter to work in the app's web.xml.  I had found 
the example here and when reviewing the CASUM at the bottom of the page: 
https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts.

I'm still learning about Tomcat, but from what I understand this should have 
worked.  Should I just give up on the filter and do the valve?

Geoff

From: Ourada, John [mailto:jour...@depaul.edu]
Sent: Tuesday, April 22, 2014 4:28 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Did you try the valve that I put in tomcat server.xml?

From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu]
Sent: Tuesday, April 22, 2014 3:08 PM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

@bbra...@uco.edu<mailto:bbra...@uco.edu>

Did you ever get this resolved?  I tried to use the same setup and from what I 
can find online, that should work.  But, I'm still getting the netscaler IP in 
the logs.

Geoff

From: Ourada, John [mailto:jour...@depaul.edu]
Sent: Thursday, April 17, 2014 9:41 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address


For us, our security team wants to log all access to the system not just 
authentication attempts. Their is logging that occurs at the tomcat layer for 
that already so the valve made sense.



The same type of change is done for other systems including iis, apache.



-john



-John



Sent from Moxier Mail

(http://www.moxier.com)





- Original Message -

From: "Whittaker, Geoffrey" 
mailto:geoff.whitta...@unf.edu>>

To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>" 
mailto:cas-user@lists.jasig.org>>

Sent: 04/17/2014 7:12 AM

Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address




I have access to the entire system.  But, I'm only knowledgable to enough to be 
dangerous.  I don't want to introduce something that has security consequences 
downstream.

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Thursday, April 17, 2014 4:09 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, it depends on your organization, habits... Maybe you don't have access 
to the Tomcat configuration and your ops don't want to setup the Valve: you 
need to update ClientInfoThreadLocalFilter...
Personally, I'm a developer, I like to work at the application level.
Best regards,
Jérôme



2014-04-16 21:06 GMT+02:00 Whittaker, Geoffrey 
mailto:geoff.whitta...@unf.edu>>:
What is the best practice for accomplishing this task?

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 11:13 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, the Tomcat Valve is not a good idea as the header is moved to the IP 
address and deleted. If you use the Tomcat Valve, you don't need any specific 
configuration in your filter...
Best,
Jérôme


2014-04-15 17:00 GMT+02:00 Ourada, John 
mailto:jour...@depaul.edu>>:
In my case, I did it in the tomcat server.xml
Ip addresses redacted.

  
From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 2:36 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

It looks good to me. No way to ouput incoming headers with a Tomcat Valve or 
Apache layer? Before contacting network guys...
Best regards,
J2rôme


2014-04-14 19:28 GMT+02:00 Ben Branch mailto:bbra...@uco.edu>>:
All,

Recently attempted to configure Inspektr to try and capture the client ip 
address out of the X-Fowarded-For Header.  After making this change and 
restarting the services, I'm still seein

RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP Address

[Ourada, John]

As far as I am aware, that is what is happening here.

-John

From: Ben Branch [mailto:bbra...@uco.edu]
Sent: Wednesday, April 23, 2014 11:16 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Geoff,

I did not.  I have a suspicion that my problem isn't the CAS configuration, but 
how our Load Balancer is configured.  From my reading on the X-Forwarded-For 
HTTP Header, the X-Forwarded-For header can only be modified if it is a non-ssl 
connection.  To insert the properly formed X-Forwarded-For Header into an SSL 
connection,  you would need to terminate the SSL connection at the Load 
Balancer, insert the new HTTP Header and then have the Load Balancer 
re-establish the SSL connection.  In order to achieve this, you would need to 
upload both your public and private SSL keys to the load balancer.  This is my 
simple understanding after spending quite a bit of time researching the matter.

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | 
www.uco.edu<http://www.uco.edu/>

"I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know."  - Socrates

From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu]
Sent: Tuesday, April 22, 2014 3:08 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

@bbra...@uco.edu<mailto:bbra...@uco.edu>

Did you ever get this resolved?  I tried to use the same setup and from what I 
can find online, that should work.  But, I'm still getting the netscaler IP in 
the logs.

Geoff

From: Ourada, John [mailto:jour...@depaul.edu]
Sent: Thursday, April 17, 2014 9:41 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address


For us, our security team wants to log all access to the system not just 
authentication attempts. Their is logging that occurs at the tomcat layer for 
that already so the valve made sense.



The same type of change is done for other systems including iis, apache.



-john



-John



Sent from Moxier Mail

(http://www.moxier.com)





- Original Message -

From: "Whittaker, Geoffrey" 
mailto:geoff.whitta...@unf.edu>>

To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>" 
mailto:cas-user@lists.jasig.org>>

Sent: 04/17/2014 7:12 AM

Subject: RE: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address




I have access to the entire system.  But, I'm only knowledgable to enough to be 
dangerous.  I don't want to introduce something that has security consequences 
downstream.

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Thursday, April 17, 2014 4:09 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, it depends on your organization, habits... Maybe you don't have access 
to the Tomcat configuration and your ops don't want to setup the Valve: you 
need to update ClientInfoThreadLocalFilter...
Personally, I'm a developer, I like to work at the application level.
Best regards,
Jérôme



2014-04-16 21:06 GMT+02:00 Whittaker, Geoffrey 
mailto:geoff.whitta...@unf.edu>>:
What is the best practice for accomplishing this task?

Geoff

From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 11:13 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

In fact, the Tomcat Valve is not a good idea as the header is moved to the IP 
address and deleted. If you use the Tomcat Valve, you don't need any specific 
configuration in your filter...
Best,
Jérôme


2014-04-15 17:00 GMT+02:00 Ourada, John 
mailto:jour...@depaul.edu>>:
In my case, I did it in the tomcat server.xml
Ip addresses redacted.

  
From: Jérôme LELEU [mailto:lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Tuesday, April 15, 2014 2:36 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Intercepting X-Forwarded-For for the proper Client IP 
Address

Hi,

It looks good to me. No way to ouput incoming headers with a Tomcat Valve or 
Apache layer? Before contacting network guys...
Best regards,
J2rôme


2014-04-14 19:28 GMT+02:00 Ben Branch mailto:b

RE: [cas-user] return uppercase version of LDAP attribute

[Ourada, John]

What method are you using to retrieve the attributes?

I modified the serviceValidateSuccess.jsp to return attribute values and have 
made data modifications there.  If you are using samlValidate, then I am no 
help there.

-John

From: Brian Lewis [mailto:blew...@morainepark.edu]
Sent: Wednesday, July 02, 2014 2:24 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] return uppercase version of LDAP attribute

We use BEIS and get the UDC_IDENTIFIER from Banner to update AD.
Thanks,

Brian

Brian Lewis
Director, Administrative Computing and Web Services
Ellucian
Moraine Park Technical College
235 N. National Ave.
Fond du Lac, WI 54936

Voice: 920.924.3517
Mobile: 920.273.9728
Fax: 920-907-6997
brian.le...@ellucian.com
www.ellucian.com

CONFIDENTIALITY:  This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information, and unauthorized 
disclosure or use is prohibited.  If you received this e-mail in error, please 
notify the sender and delete this e-mail from your system. Thank you.


From: Linda Toth [mailto:ltt...@alaska.edu]
Sent: Wednesday, July 02, 2014 2:11 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] return uppercase version of LDAP attribute

Brian,

Since the UDC_IDENTIFIER is a string in Banner, we migrated all UDC IDs to AD 
as they are in the database.  We have not had to make any translation to upper 
case.

Would the migration script/tool that our Banner group used help?

Linda

Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity and 
Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | 
www.alaska.edu/oit/


On Wed, Jul 2, 2014 at 7:09 AM, Brian Gibson 
mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,

We are running CAS 3.5.2 and it is successfully pointing to Active Directory to 
authenticate users and to map certain attributes. We need to take an attribute 
that is returned from AD and convert it to uppercase before we release it.  The 
CAS name for the attribute is UDC_IDENTIFIER and it maps the AD sAMAccountName 
value to it, here is the  entry and it is the line in bold that does the 
mapping.


  
  
  

  

  

  

  

  
  
  
  
 

  


Anyone know how to set the value returned as the UDC_IDENTITIFIER to be 
uppercase? Would it be done in the above section or would it be done in the 
service entry we have for the specific web application which is here






http://webldevl1\.wheatonma\.edu\:7004/ssomanager/.*"
 />



Name
Email
DisplayName
UDC_IDENTIFIER

 


Thanks for any help you can offer :-)


--





Brian Gibson

Systems Administrator

Wheaton College



Are you a musician? If so visit my Arbans Online music site at

http://arbansonline.com and listen & contribute

--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
ltt...@alaska.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
blew...@morainepark.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

[Ourada, John]

Beware of the CAS ISAPI filters that exist... They don't terminate headers 
correctly and Chrome will complain and not continue.

UC Davis had the best one out there (IMO), but aren't able to support it 
anymore.

If the IIS version is high enough (7 and 8, I believe), you can use the .net 
CAS client to perform the authentication.  I did this on a test server and was 
in the process of convincing the vendor to try it, but they were able to switch 
to use ezproxy.

There is some documentation on jasig on how to make this work.

-John

From: John Gasper [mailto:jgas...@unicon.net]
Sent: Wednesday, September 10, 2014 10:39 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS ISAPI filter configuration

Hi Paul,

I haven't specifically worked with the CAS ISAPI filter, but in general ISAPI 
filters intercept all calls to a web application before the actual page gets 
hit. (This is very much like how the .NET Client works). It could be that you 
can set the service url to be whatever you want CAS Server to redirect the 
browser back to. Based on the age of the filter I wouldn't be surprised that it 
doesn't dynamically generate the service url.

Just my completely uniformed thoughts.

-J-

---
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef
On 9/9/14 7:25 PM, Paul B. Henson wrote:

One of my colleagues has an application that runs under IIS that he would like 
to use central authentication for. Unfortunately, the company is not interested 
in integrating CAS support into their application. However, it does currently 
support delegating authentication to IIS and integrating into Windows domain 
authentication.



Based on my limited understanding of that infrastructure, I thought we should 
be able to use the CAS ISAPI filter to make this application use CAS rather 
than Windows domain authentication (with a caveat; I assume the application is 
looking for the standard remote_user header, the application would need to 
either need to be modified to support looking for the authenticated username in 
a custom header, or we would need to binary edit it to change the header it 
currently looks for).



He has it installed and mostly configured, but he is not sure what to set the 
"Service URL"  to, and neither am I. In a CAS transaction, the service URL is 
where the CAS server sends a browser after it gives out a service ticket after 
successful authentication, and that URL is then responsible for consuming the 
service ticket, validating it with CAS, and then providing access to the 
underlying application. But given in this case the application has no idea it 
is using CAS, shouldn't the "Service URL" functionality be handled by the CAS 
ISAPI filter itself somehow?



Or am I misunderstanding how the CAS ISAPI filter is supposed to work?



Any hints on how to appropriately configure this would be much appreciated.



Thanks...



--

Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/

Operating Systems and Network Analyst  |  
hen...@csupomona.edu

California State Polytechnic University  |  Pomona CA 91768








--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

[Ourada, John]

The last time I talked to the UC Davis folks, they indicated that they wouldn't 
be supporting it anymore even though it had been fixed.

BTW, they were great in getting it fixed in the first place.

Use this as a starting point: 
https://wiki.jasig.org/pages/viewpage.action?pageId=35389878

Don't worry about PHP or FastCGI.  If you basically read through the 
instructions, you end up with  the server variables being passed to the 
application.  I had it working with a test version of a .net app that didn't 
have any setup with CAS. Unfortunately, I have taken down the system where I 
did my testing.

-John

-Original Message-
From: Paul B. Henson [mailto:hen...@csupomona.edu] 
Sent: Wednesday, September 10, 2014 3:09 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS ISAPI filter configuration

> From: Ourada, John
> Sent: Wednesday, September 10, 2014 8:47 AM
>
> Beware of the CAS ISAPI filters that exist... They don't terminate 
> headers correctly and Chrome will complain and not continue.
>
> UC Davis had the best one out there (IMO), but aren't able to support 
> it anymore.

Actually, version 2.2  was released on Nov 25, 2013, with a change list of 
"Chrome interoperability issue fixed". I'm not sure what their long-term plans 
are as for supporting it, but I believe they have fixed at least the issue with 
chrome.

> If the IIS version is high enough (7 and 8, I believe), you can use 
> the .net CAS client to perform the authentication.  I did this on a 
> test server and was in the process of convincing the vendor to try it, 
> but they were able to switch to use ezproxy.

You can use the .net client without cooperation from the application actually 
being authenticated?

> There is some documentation on jasig on how to make this work.

What documentation are you referring to? The only documentation I see for the 
.net client says "The .NET CAS client integrates with ASP.NET applications by 
customizing the application web.config file" and "Ensure it is deployed to the 
/Bin directory of the Web application", both of which seem like things that 
would require the cooperation of the actual application, as opposed to the 
ISAPI filter, in which the authentication is completely handled by IIS itself?

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/ 
Operating Systems and Network Analyst  |  hen...@csupomona.edu California State 
Polytechnic University  |  Pomona CA 91768



--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Terracotta Setup Question

[Ourada, John]

I have been following the instructions provided for setting up
Terracotta DSO and load balancing CAS.

 

First, a big thanks to NAU for providing the information.  It has been a
huge help!

 

There is an option in the default Terracotta startup script

-Dsun.rmi.dgc.server.gcInterval=31536000

 

It isn't mentioned in the documentation, but it seems like a really long
time for garbage collection (1 year).  There is a note in the startup
script about avoiding system gc in case authentication is enabled.

 

I am going to change the value to 1 hour, but was wondering if anybody
else has experience with this java parameter with regards to Terracotta.

 

Thank you!

-John


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS in load balanced environment

[Ourada, John]

Matt, have you seen NAU's presentation on using Terracotta DSO on the JASIG 
website. 

I just setup our dev environment following their recommendations.  I did it 
both on a Win 2003 server and Redhat.  It was very easy in both instances.  My 
preference is Terracotta since I have the option to go Commercial, but also 
there is continued dev.  Repcache's website shows the last version update in 
2009.  From a simplicity standpoint, there is no code changes required in CAS 
which is good for us as we don't have a lot of Java experience.

-John

-Original Message-
From: Kirk, Matt [mailto:matt.k...@bskyb.com] 
Sent: Tuesday, August 16, 2011 2:59 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Hi,

I'm currently looking at implementing a HA CAS Cluster and I was looking at 
using Ehcache.  Having just read your post, what is the Memcache solution and 
do you have a setup guide?  Is one solution favourable over another?

Thanks,
Matt


From: Marvin Addison [marvin.addi...@gmail.com]
Sent: 05 August 2011 01:43
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS in load balanced environment

≥ So please let me if just implementing memcache will resolve the issue ?

You have a common HA setup.  MemcachedTicketRegistry + memcached should solve 
your problems.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
matt.k...@bskyb.com To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and 
are used under licence. British Sky Broadcasting Limited (Registration No. 
2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home 
Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited 
(Registration No. 2340150) are direct or indirect subsidiaries of British Sky 
Broadcasting Group plc (Registration No. 2247735). All of the companies 
mentioned in this paragraph are incorporated in England and Wales and share the 
same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.



--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS in load balanced environment

[Ourada, John]

I followed NAU's setup and used the default registry.  I am using CAS 3.4.6 
with Terracotta 3.5.2.  I am not getting any errors.  I too am using the audit 
trail functionality to record who logged in/out.

-John

-Original Message-
From: Kirk, Matt [mailto:matt.k...@bskyb.com] 
Sent: Tuesday, August 16, 2011 8:22 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Hi John,

Yes, I've seen that and used it as the basis for choosing Ehcache over 
JBossCache.  Was just wondering what other alternatives there are and saw the 
Memcache post.

Did you encounter any issues setting up a clustered CAS with Ehcache? What 
software versions (CAS, etc...) are you using?  I'm trying the Ehcache setup 
described in https://wiki.jasig.org/display/CASUM/EhcacheTicketRegistry against 
CAS 3.4.7 but getting NPE's in the audit code here:

java.lang.NullPointerException
at 
com.github.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:147)

Did you hit this problem?

Thanks again,
Matt


________
From: Ourada, John [jour...@depaul.edu]
Sent: 16 August 2011 13:24
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Matt, have you seen NAU's presentation on using Terracotta DSO on the JASIG 
website.

I just setup our dev environment following their recommendations.  I did it 
both on a Win 2003 server and Redhat.  It was very easy in both instances.  My 
preference is Terracotta since I have the option to go Commercial, but also 
there is continued dev.  Repcache's website shows the last version update in 
2009.  From a simplicity standpoint, there is no code changes required in CAS 
which is good for us as we don't have a lot of Java experience.

-John

-Original Message-
From: Kirk, Matt [mailto:matt.k...@bskyb.com]
Sent: Tuesday, August 16, 2011 2:59 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Hi,

I'm currently looking at implementing a HA CAS Cluster and I was looking at 
using Ehcache.  Having just read your post, what is the Memcache solution and 
do you have a setup guide?  Is one solution favourable over another?

Thanks,
Matt


From: Marvin Addison [marvin.addi...@gmail.com]
Sent: 05 August 2011 01:43
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS in load balanced environment

≥ So please let me if just implementing memcache will resolve the issue ?

You have a common HA setup.  MemcachedTicketRegistry + memcached should solve 
your problems.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
matt.k...@bskyb.com To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and 
are used under licence. British Sky Broadcasting Limited (Registration No. 
2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home 
Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited 
(Registration No. 2340150) are direct or indirect subsidiaries of British Sky 
Broadcasting Group plc (Registration No. 2247735). All of the companies 
mentioned in this paragraph are incorporated in England and Wales and share the 
same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.



--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to cas-user@lists.jasig.org as: 
matt.k...@bskyb.com To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are

RE: [cas-user] CAS in load balanced environment

[Ourada, John]

On RedHat Server 5.7

I did install the exact same setup on Windows 2003 but moved because of having 
to use a service wrapper and to implement IPSec between systems as our Security 
folks preferred that we did and our backup data center is moving off campus.

-John

-Original Message-
From: Kirk, Matt [mailto:matt.k...@bskyb.com] 
Sent: Tuesday, August 16, 2011 8:22 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Hi John,

Yes, I've seen that and used it as the basis for choosing Ehcache over 
JBossCache.  Was just wondering what other alternatives there are and saw the 
Memcache post.

Did you encounter any issues setting up a clustered CAS with Ehcache? What 
software versions (CAS, etc...) are you using?  I'm trying the Ehcache setup 
described in https://wiki.jasig.org/display/CASUM/EhcacheTicketRegistry against 
CAS 3.4.7 but getting NPE's in the audit code here:

java.lang.NullPointerException
at 
com.github.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:147)

Did you hit this problem?

Thanks again,
Matt


____
From: Ourada, John [jour...@depaul.edu]
Sent: 16 August 2011 13:24
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Matt, have you seen NAU's presentation on using Terracotta DSO on the JASIG 
website.

I just setup our dev environment following their recommendations.  I did it 
both on a Win 2003 server and Redhat.  It was very easy in both instances.  My 
preference is Terracotta since I have the option to go Commercial, but also 
there is continued dev.  Repcache's website shows the last version update in 
2009.  From a simplicity standpoint, there is no code changes required in CAS 
which is good for us as we don't have a lot of Java experience.

-John

-Original Message-
From: Kirk, Matt [mailto:matt.k...@bskyb.com]
Sent: Tuesday, August 16, 2011 2:59 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

Hi,

I'm currently looking at implementing a HA CAS Cluster and I was looking at 
using Ehcache.  Having just read your post, what is the Memcache solution and 
do you have a setup guide?  Is one solution favourable over another?

Thanks,
Matt


From: Marvin Addison [marvin.addi...@gmail.com]
Sent: 05 August 2011 01:43
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS in load balanced environment

≥ So please let me if just implementing memcache will resolve the issue ?

You have a common HA setup.  MemcachedTicketRegistry + memcached should solve 
your problems.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
matt.k...@bskyb.com To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and 
are used under licence. British Sky Broadcasting Limited (Registration No. 
2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home 
Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited 
(Registration No. 2340150) are direct or indirect subsidiaries of British Sky 
Broadcasting Group plc (Registration No. 2247735). All of the companies 
mentioned in this paragraph are incorporated in England and Wales and share the 
same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.



--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to cas-user@lists.jasig.org as: 
matt.k...@bskyb.com To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and 

RE: [cas-user] CAS in load balanced environment

[Ourada, John]

Matt, based on what I have read on the JASIG site, I agree with you.

 

Part of the requirements given to me was to not have a user
re-authenticate if part of the cluster fails.  Memcache was eliminated.
Using a DB involved too many groups within IS and increased cost.

 

I am curious why you are choosing the EHCache ticket registry over
DefaultTicketRegistry.  Am I missing something?

 

-john

 

From: Kirk, Matt [mailto:matt.k...@bskyb.com] 
Sent: Tuesday, August 16, 2011 10:05 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS in load balanced environment

 

Thanks for all the feedback.

We're opting for the distributed Ehcache ticket registry over a database
persistent registry across a CAS Cluster as we feel that if a node goes
down, then the ticket replication will allow seamless access to services
and therefore the DB is not required (and would itself be a single point
of failure unless replicated in some fashion).  The failed node can then
be re-started and rejoin the cluster and be re-populated with the
current tickets via the distributed Ehcache.  

If the entire cluster were to go down it would require users to
re-authenticate but we consider this a (hopefully) rare and fatal system
failure so forcing users to re-authenticate after system re-start is
acceptable.  

This approach removes the need for a database and all the cost / admin
etc that goes with it.  

Do you think is is a reasonable solution?  Have I missed something which
may change my thoughts?

Thanks,
Matt





From: Scott Battaglia [scott.battag...@gmail.com]
Sent: 16 August 2011 14:55
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS in load balanced environment

On Tue, Aug 16, 2011 at 9:47 AM, Marvin Addison
 wrote:

> what is the Memcache solution and do you have a setup guide?

See https://wiki.jasig.org/display/CASUM/MemcacheTicketRegistry.  I'll
discuss briefly what's _not_ in the manual.  I think there's some
misinformation in the community, borne out in list discussions and
other venues, about the need for the repcache patches to memcached for
clustering.  I think repcache is absolutely unnecessary based on the
failure mode of memcached.  Consider a memcached cluster of 3 nodes,
all noted in the CAS configuration.  The Java memcached client will
calculate a key and store it on one node.  If that node goes down, the
client will attempt to retrieve the key from the dead node and fail,
returning an empty value.  That will appear to CAS and ultimately the
user that he or she is unauthenticated and will simply need to
reauthenticate.  Upon reauthentication the client will know that there
are only two nodes remaining, and calculate a new key that will be
stored on one of the two available nodes and proceed as normal.  That
is a _very_ graceful failure mode in my opinion, and there's no need
for anything additional like repcached.

 

It really depends on your needs.  You may feel that its acceptable to
force them to log back in if a node goes down, others may not.  This is
why we have a number of these backing mechanisms, you find the one that
matches your expertise and meets your availability requirements.  

 

However, as you note, using repcached is optional, and just provides an
extra level of redundancy if you want to apply the patch. (we did at
Rutgers)

 

Cheers,

Scott

 

 


> Is one solution favourable over another?

Most folks choose based on experience with a particular
technology.
We use JpaTicketRegistry on PostgreSQL in production, but I'd be
happy
to switch to memcached if needed.  I personally think
Terracotta,
JBossCache, and Infinispan are interesting technologies that are
overkill for CAS.  The complexity is not worth the benefits.
That is
absolutely a personal opinion and lots of folks would disagree.

M

--

You are currently subscribed to cas-user@lists.jasig.org as:
scott.battag...@gmail.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

 

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
matt.k...@bskyb.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user


Information in this email including any attachments may be privileged,
confidential and is intended exclusively for the addressee. The views
expressed may not be official policy, but the personal views of the
originator. If you have received it in error, please notify the sender
by return e-mail and delete it from your system. You should not
reproduce, distribute, store, retransmit, use or disclose its contents
to anyone. Please note we reserve the right to monitor all e-mail
communication through our internal and external networks. SKY and the
SKY marks are trade marks of British Sky Broadcasting Group plc and are
used under licence. British Sky Broadcasting L

RE: [cas-user] CAS and Terracotta

[Ourada, John]

I am using it in our current dev environment following the instructions
provided and it works really well.  We will be moving to PRD in the next
week or so.

 

I have Tomcat 6.0.28 and CAS 3.4.6

 

-john

 

From: Jacquet, Frederic [mailto:frederic.jacq...@imd.ch] 
Sent: Thursday, September 08, 2011 3:48 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS and Terracotta

 

you can use this valuable doc : 
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPCluster

only the config file is different ;) 

regards
fred



From: Juan Orti Alcaine [j.o...@grupocomex.com]
Sent: Thursday, September 08, 2011 10:09 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS and Terracotta

Hello, we are installing Liferay with CAS authentication in tomcat
6.0.29 and a cluster of two terracotta servers. 
We plan to use LDAP authentication and it works ok without terracotta.

Terracotta uses a configuration based on the file of this bug report:
https://issues.jasig.org/browse/CAS-750 
but we are unable to make it work. When we enable terracotta, I can't
authenticate and get no errors in the log. I only see periodically:

2011-09-08 08:05:47,512 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - 
2011-09-08 08:05:47,513 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - 

Do you have any experience in this kind of setup?

Thanks.

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
frederic.jacq...@imd.ch
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS and Terracotta

[Ourada, John]

What do you see in the Terracotta log files?  Client and Server.

 

-john

 

From: Juan Orti Alcaine [mailto:j.o...@grupocomex.com] 
Sent: Thursday, September 08, 2011 3:10 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS and Terracotta

 

Hello, we are installing Liferay with CAS authentication in tomcat
6.0.29 and a cluster of two terracotta servers. 
We plan to use LDAP authentication and it works ok without terracotta.

Terracotta uses a configuration based on the file of this bug report:
https://issues.jasig.org/browse/CAS-750 
but we are unable to make it work. When we enable terracotta, I can't
authenticate and get no errors in the log. I only see periodically:

2011-09-08 08:05:47,512 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - 
2011-09-08 08:05:47,513 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - 

Do you have any experience in this kind of setup?

Thanks.

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS Cluster and SPNEGO

[Ourada, John]

Look at the Terracotta solution proposed by Northern Arizona University.
It clusters all three...

 

-john

 

From: Arnaud Lesueur [mailto:arnaud.lesu...@gmail.com] 
Sent: Tuesday, September 13, 2011 8:34 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS Cluster and SPNEGO

 

Hi Nicolaie,

 

As mentioned in https://wiki.jasig.org/display/CASUM/Clustering+CAS, you
will have to think about clustering several things Tomcat Session,
Ticket Registry, Service Management, ...

 

The JBossCache integration only covers the TicketRegistry. AFAYK, you
can use JBossCache clustering (for TicketRegistry) and SPNEGO. I've
already put that kind of cluster in 2006 on a fail-over architecture
based on CAS 3.0.x (first deployment using each module :-))

But you will also have to deal with Sessions Replication and Service
Management to have a full cluster.

 

Regards,


Arnaud Lesueur


 

On Sun, Sep 4, 2011 at 22:42, Nicolaie 
wrote:

Hello everyboy, we built up CAS with SPNEGO for a german Bank
successfully and want to try clustering with JBOSSCache next. Does
clustering includes support for SPNEGO? I am asking this beacuse I am
not sure if the technology of having two or more CAS instances is valid
concerning kerberos tickets. best regards and thanks in advance for your
reply Nicolaie 

Cheers Nicolaie

 



View this message in context: CAS Cluster and SPNEGO
 
Sent from the CAS Users mailing list archive
  at
Nabble.com.

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
arnaud.lesu...@gmail.com


 
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

 

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Interesting Problem: too many successful logins

[Ourada, John]

We ran into a problem over the weekend and yesterday where a single user
was able to affect performance of our current production cas server
(3.4.6 on Tomcat 6.0.28 on Windows).  We haven't moved to our new HA
setup using Linux and Terracotta : (.

 

An external organization is working with us to provide services to our
Library and students and we are using CAS for the authentication
component.

 

The organization had a really really bad bug in their software that
caused them to fail the validation and send the client back to us for
authentication.  The client was actually authenticated and so were sent
back to the organization with a new ServiceTicket.  This happened really
fast...  I logged 20K ST's for this user in under 10 minutes yesterday
alone.  

 

I see where I can throttle UNsuccessful login attempts, but what about
successful ones : ).

 

-john


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Interesting Problem: too many successful logins

[Ourada, John]

So something like this : )

 

The throttled timeout policy extends the TimeoutExpirationPolicy
<https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy#TicketExp
irationPolicy-TimeoutExpirationPolicy>  with the concept of throttling
where a ticket may be used at most every N seconds. This policy was
designed to thwart denial of service conditions where a rogue or
misconfigured client attempts to consume CAS server resources by
requesting high volumes of service tickets in a short time.

That makes a whole of t sense.

 

Thanks, Scott!

 

From: Scott Battaglia [mailto:scott.battag...@gmail.com] 
Sent: Tuesday, September 13, 2011 10:47 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Interesting Problem: too many successful logins

 

There's actually different expiration policies for TGTs that can prevent
that.  I would take a look at them if you have not.

 

Though I'm also surprised the browser didn't stop that insanity!

 

On Tue, Sep 13, 2011 at 11:44 AM, Ourada, John 
wrote:

We ran into a problem over the weekend and yesterday where a single user
was able to affect performance of our current production cas server
(3.4.6 on Tomcat 6.0.28 on Windows).  We haven't moved to our new HA
setup using Linux and Terracotta : (.

 

An external organization is working with us to provide services to our
Library and students and we are using CAS for the authentication
component.

 

The organization had a really really bad bug in their software that
caused them to fail the validation and send the client back to us for
authentication.  The client was actually authenticated and so were sent
back to the organization with a new ServiceTicket.  This happened really
fast...  I logged 20K ST's for this user in under 10 minutes yesterday
alone.  

 

I see where I can throttle UNsuccessful login attempts, but what about
successful ones : ).

 

-john

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
scott.battag...@gmail.com


 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

 

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Invalid Login Attempt Throttling and HA and Terracotta

[Ourada, John]

Was reading through the Invalid Login Attempt Throttling and had a
couple of thoughts.

 

Refer to page: 
https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts

 

First, it took me a little to realize that with the InMemory setup that
the failureRangeInSeconds is meaningless except when logging the
warning.  Some mail archive searching confirmed that.

 

Second, I need to do throttling in an HA environment:

 

Here is a snippet from the documentation:

For multi-node CAS instances there is one option that combines the
auditing capabilities of the Inspektr package with the throttling
package (and relies on a database).

We don't use a DB for our audit logs since our Support teams use Splunkr
for their log search and reporting needs.  I also can't get an HA db and
don't want to support it myself.

 

Since we are using Terracotta, I thought I would give it a try and it
seems to be working well.  I see the ConcurrentHashMap in Terracotta and
I see objects going into it when I have a failed login attempt.  I have
tried going to each tomcat instance individually and everything works as
expected.

 

For the auto decrement, I set it to 2*I (I is the expected interval).
If I want the decrement to be 120s, I set each server (I have 2) to
decrement every 240s so in effect I get something close to every 120s.

 

Does this seem like a good idea to continue or does anybody see an issue
that I haven't considered.

 

Thanks!

-John

 

Tc-config-tomcat.xml (snippet)









 
org.jasig.cas.ticket.registry.DefaultTicketRegistry.cache







 
org.jasig.cas.web.support.AbstractInMemoryThrottledSubmissio
nHandlerInterceptorAdapter.ipMap





 

throttleInterceptorTrigger.xml



http://www.springframework.org/schema/beans";

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

   xmlns:p="http://www.springframework.org/schema/p";

   xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>

 



 



 





 

Picture of Terracotta Console

 

 

 

 

 


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user<>

RE: [cas-user] Clustering CAS using Terracotta

[Ourada, John]

Tobias, what changes did you make to your Tomcat startup.  Tomcat needs to know 
about Terracotta before it will work.

-John

-Original Message-
From: Tobias Quosigk [mailto:tquos...@kennesaw.edu] 
Sent: Thursday, September 15, 2011 3:02 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] Clustering CAS using Terracotta

I'm following the writeup at https://wiki.jasig.org/display/CASUM/Terracotta to 
cluster my two instances of CAS 3.4.10 on Windows Server 2008 R2 64-bit running 
Tomcat 6.0.33 using Terracotta 3.5.2_1.

I installed Terracotta, used tim-get to install tim-vector, tim-tomcat-6.0, 
tim-spring-webflow-2.0 and tim-spring-security-2.0. 

I used the NAU sample tc-config.xml and modified it (file attached) to add the 
second node.

Terracotta starts on both nodes, I see both servers on the Developer Console, 
but nothing gets replicated. What am I doing wrong? Does anyone have more 
extensive documentation than what's available on the wiki?

Tobias


Tobias Quosigk
Information Technology Services
Kennesaw State University
--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Clustering CAS using Terracotta

[Ourada, John]

Do you see the client (tomcat) connected?

 

 

Here is a snippet of what my console looks like.

 

 

 

-JOhn

 

-Original Message-
From: Tobias Quosigk [mailto:tquos...@kennesaw.edu] 
Sent: Thursday, September 15, 2011 3:02 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] Clustering CAS using Terracotta

 

I'm following the writeup at https://wiki.jasig.org/display/CASUM/Terracotta 
  to cluster my two instances 
of CAS 3.4.10 on Windows Server 2008 R2 64-bit running Tomcat 6.0.33 using 
Terracotta 3.5.2_1.

 

I installed Terracotta, used tim-get to install tim-vector, tim-tomcat-6.0, 
tim-spring-webflow-2.0 and tim-spring-security-2.0. 

 

I used the NAU sample tc-config.xml and modified it (file attached) to add the 
second node.

 

Terracotta starts on both nodes, I see both servers on the Developer Console, 
but nothing gets replicated. What am I doing wrong? Does anyone have more 
extensive documentation than what's available on the wiki?

 

Tobias

 

 

Tobias Quosigk

Information Technology Services

Kennesaw State University

--

You are currently subscribed to cas-user@lists.jasig.org 
  as: jour...@depaul.edu 
  To unsubscribe, change settings or access 
archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user 
 


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user
<>

RE: [cas-user] Clustering CAS using Terracotta

[Ourada, John]

Look at the Presentation PDF there is some info in there.  

 

I would also recommend reading through the DSO setup and installation on 
Terracotta's website.  http://www.terracotta.org/confluence/display/docs/Home

 

 

You will need to run the batch file make-boot-jar.bat in the platform/bin 
folder of Terracotta.  This will create a system specific file that tomcat will 
use to make use of Terracotta.  You will need to take note of the file that it 
creates.

 

I originally did this on Windows, but have since thrown that away and started 
with Linux.  One reason for that is the difficulty in starting Terracotta as a 
service reliably and that I was given a requirement to use IPSec between 
servers.

 

To start up Terracotta as a service you will need wrapper-windows-x86-32-3.5.9.

 

Here is what my startup looks like on Linux:

Notice the TC_BOOT variable below.

#!/bin/bash 

# 

 

# Init file for Apache Tomcat server 

# 

 

# chkconfig: 2345 55 25 

# description: Apache Tomcat server 

 

# 

  

 

# Source function library. 

. /etc/init.d/functions 

 

  

CATALINA_HOME=/opt/tomcat/default 

 

TC_ROOT=/opt/terracotta/default 

TC_CONFIG=casdev01.is.depaul.edu:9510,casdev02.is.depaul.edu:9510 

 

TC_BOOT=${TC_ROOT}/lib/dso-boot/dso-boot-hotspot_linux_160_26.jar 

JAVA_OPTS="$JAVA_OPTS -Xmx512M -XX:MaxPermSize=512M" 

 

  

export CATALINA_HOME 

 

  

start() { 

 

echo "Starting Razuna Tomcat: " 

JAVA_OPTS="$JAVA_OPTS -Dtc.install-root=$TC_ROOT 
-Xbootclasspath/p:${TC_BOOT} -Dtc.config=${TC_CONFIG}" 

 

export JAVA_OPTS 

$CATALINA_HOME/bin/startup.sh 

 

echo "done." 

} 

 

stop() { 

echo "Shutting down Razuna Tomcat: " 

 

$CATALINA_HOME/bin/shutdown.sh 

echo "done." 

 

} 

  

 

case "$1" in 

  start) 

 

start 

;; 

 

  stop) 

stop 

 

;; 

  restart) 

 

stop 

sleep 10 

 

#echo "Hard killing any remaining threads.." 

#kill -9 `cat $CATALINA_HOME/work/catalina.pid` 

 

start 

;; 

 

  *) 

echo "Usage: $0 {start|stop|restart}" 

 

esac 

  

 

exit 0 

 

 

-Original Message-
From: Tobias Quosigk [mailto:tquos...@kennesaw.edu] 
Sent: Thursday, September 15, 2011 3:14 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Clustering CAS using Terracotta

 

John,

 

No, I didn't make any modifications to the Tomcat startup config. (And I don't 
see any connected clients in the console). Are the startup config changes 
documented somewhere?

 

Tobias

 

- Original Message -

From: "John Ourada" 

To: cas-user@lists.jasig.org

Sent: Thursday, September 15, 2011 4:04:21 PM

Subject: RE: [cas-user] Clustering CAS using Terracotta

 

Tobias, what changes did you make to your Tomcat startup.  Tomcat needs to know 
about Terracotta before it will work.

 

-John

 

-Original Message-

From: Tobias Quosigk [mailto:tquos...@kennesaw.edu]

Sent: Thursday, September 15, 2011 3:02 PM

To: cas-user@lists.jasig.org

Subject: [cas-user] Clustering CAS using Terracotta

 

I'm following the writeup at https://wiki.jasig.org/display/CASUM/Terracotta 
  to cluster my two instances 
of CAS 3.4.10 on Windows Server 2008 R2 64-bit running Tomcat 6.0.33 using 
Terracotta 3.5.2_1.

 

I installed Terracotta, used tim-get to install tim-vector, tim-tomcat-6.0, 
tim-spring-webflow-2.0 and tim-spring-security-2.0. 

 

I used the NAU sample tc-config.xml and modified it (file attached) to add the 
second node.

 

Terracotta starts on both nodes, I see both servers on the Developer Console, 
but nothing gets replicated. What am I doing wrong? Does anyone have more 
extensive documentation than what's available on the wiki?

 

Tobias

 

 

Tobias Quosigk

Information Technology Services

Kennesaw State University

--

You are currently subscribed to cas-user@lists.jasig.org 
  as: jour...@depaul.edu 
  To unsubscribe, change settings or access 
archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user 
 

 

--

You are currently subscribed to cas-user@lists.jasig.org 
  as: tquos...@kennesaw.edu 
  To unsubscribe, change settings or access 
archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user 
 

 

--

You are currently subscribed to cas-user@lists.jasig.org 
  as: jour...@depaul.edu 
  To unsubscribe, change settings or access 
archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user 
 


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settin

RE: [cas-user] Planning CAS install

[Ourada, John]

Tonya,

 

DePaul's is running on VM's with only 1 CPU, 1GB RAM and about 15GB disk
space.  They run just fine there isn't much required in the way of
processing currently.

 

Since you are just down the road from us, I would be happy to talk face
to face about what we are doing and how things are working for us.

 

-John

 

 

From: Gill, Tanya [mailto:tg...@colum.edu] 
Sent: Friday, September 16, 2011 8:39 AM
To: cas-user@lists.jasig.org
Subject: RE:[cas-user] Planning CAS install

 

Can anyone provide this information?

 

From: Gill, Tanya 
Sent: Wednesday, September 14, 2011 10:24 AM
To: 'cas-user@lists.jasig.org'
Subject: Planning CAS install

 

We our planning for a CAS install on a Virtual Server and I cannot find
CAS Server Build Specification anywhere. I need to know what the
Hardware requirements are a CAS Server.

 

Thanks

 

Tanya Gill

Columbia College Chicago

Information Technology

Network Security Specialist

(312) 369-7138

 

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Error messages in cas log

[Ourada, John]

Could anybody tell me why I am seeing these in my CAS log file?  It
seems like I am calling /serviceValidate with a pgtUrl parameter which
we are not. The Url in the error message is the service requesting
authentication. We have not made a lot of changes to the default setup
and are using the in memory registry.

 

CAS should not be trying to open a connection back to the service that
is requesting authentication, correct?  Authentication continues and
succeeds, but I see a lot of these messages in the log file.

 

2011-09-20 13:37:35,154 WARN [org.jasig.cas.util.HttpClient] - Error
Sending message to url endpoint
[http://wadev1.is.depaul.edu/casloadtest/Default.aspx].  Error is
[Server returned HTTP response code: 500 for URL:
http://wadev1.is.depaul.edu/casloadtest/Default.aspx]

2011-09-20 13:37:35,153 WARN [org.jasig.cas.util.HttpClient] - Error
Sending message to url endpoint
[http://wadev1.is.depaul.edu/casloadtest/Default.aspx].  Error is
[Server returned HTTP response code: 500 for URL:
http://wadev1.is.depaul.edu/casloadtest/Default.aspx]

2011-09-20 13:37:35,152 WARN [org.jasig.cas.util.HttpClient] - Error
Sending message to url endpoint
[http://wadev1.is.depaul.edu/casloadtest/Default.aspx].  Error is
[Server returned HTTP response code: 500 for URL:
http://wadev1.is.depaul.edu/casloadtest/Default.aspx]

2011-09-20 13:37:35,152 WARN [org.jasig.cas.util.HttpClient] - Error
Sending message to url endpoint
[http://wadev1.is.depaul.edu/casloadtest/Default.aspx].  Error is
[Server returned HTTP response code: 500 for URL:
http://wadev1.is.depaul.edu/casloadtest/Default.aspx]

 

2011-09-20 15:00:59,860 WARN [org.jasig.cas.util.HttpClient] - Socket
Timeout Detected while attempting to send message to
[https://prerelease.cdm.depaul.edu/CTI/advising/auth.asp].

2011-09-20 15:00:59,860 WARN [org.jasig.cas.util.HttpClient] - Socket
Timeout Detected while attempting to send message to
[https://prerelease.cdm.depaul.edu/CTI/advising/auth.asp].

 

Thanks!

-John


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Error messages in cas log

[Ourada, John]

I don't recall seeing that specified in the CAS Protocol.  I thought
that the only back channel communication was for proxy ticket
generation.

We are setup for proxy ticket generation and use so the applications
aren't expecting back channel communication.  Currently the servers are
in completely different FW zones and http/https from the cas servers
isn't allowed (thus the timeouts).  The 500 error is coming from the dev
environ where the servers are on the same zone, but the application
isn't expecting the back channel comm and is erring out because it just
redirects back to cas to authenticate...

I missed it in the setup information.  I see it now and will disable it
for now.

Thanks, Marvin!
-John

-Original Message-
From: Marvin Addison [mailto:marvin.addi...@gmail.com] 
Sent: Wednesday, September 21, 2011 9:43 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Error messages in cas log

> Could anybody tell me why I am seeing these in my CAS log file?

Those are back-channel single sign-out callbacks sent from the CAS
server to the entry points of all services a user accessed during an SSO
session.  This is a fairly common occurrence, and completely innocuous,
but you might investigate why you're getting 500 and socket timeouts
from your client apps.

M

--
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Error messages in cas log

[Ourada, John]

I would put something in the /Logout section so that anyone reading the 
Protocol documentation (everyone, right!) would see it and at least make the 
reference back to the correct page.For me the Protocol page is where I send 
developers and anybody else that needs or wants to understand what is happening.

I think that it is part of the protocol because any application that you write 
needs to understand that there will be a callback post and must handle it 
gracefully.  It is by default part of the flow of the CAS application, correct?

-John

-Original Message-
From: Marvin Addison [mailto:marvin.addi...@gmail.com] 
Sent: Wednesday, September 21, 2011 10:10 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Error messages in cas log

> I don't recall seeing that specified in the CAS Protocol.  I thought 
> that the only back channel communication was for proxy ticket 
> generation.

It's not strictly a part of the CAS protcol since it sends a SAML1.1 
LogoutRequest to services.  Do you have a recommendation for where we should 
document this to make it more prominent?

M

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] cas login throttling error with ticket expiration policy

[Ourada, John]

I configured login throttling per:
https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy

 

Here is the config contents:

 



http://www.springframework.org/schema/beans";

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

   xmlns:p="http://www.springframework.org/schema/p";

   xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>



Assignment of expiration policies for the different tickets
generated by CAS including ticket granting ticket (TGT), service ticket
(ST), proxy granting ticket (PGT), and proxy ticket (PT).

These expiration policies determine how long the ticket they are
assigned to can be used and even how often they can be used before
becoming expired / invalid.



 









 











 

 

 

When I put this policy in place, I get the following errors when trying
to proxyValidate the ST.  I did try setting the policy for longer and
was able to force the TGT to expire pre-maturely by authenticating a
service too quickly.  I don't understand why the
throttleUseAndTimeoutExpirationPolicyy is failing during ST validation.

 

Cas.log contents:

2011-09-21 12:03:13,154 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

2011-09-21 12:03:13,156 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

 

-John


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] cas login throttling error with ticket expiration policy

[Ourada, John]

I didn't add to this that the proxyValidate call fails the ST validation
so the client isn't able to complete the authentication.

 

I would really like to implement this and am wondering if I am missing
something.

 

-John

 

From: Ourada, John [mailto:jour...@depaul.edu] 
Sent: Wednesday, September 21, 2011 12:15 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] cas login throttling error with ticket expiration
policy

 

I configured login throttling per:
https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy

 

Here is the config contents:

 



http://www.springframework.org/schema/beans";

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

   xmlns:p="http://www.springframework.org/schema/p";

   xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
<http://www.springframework.org/schema/beans%20http:/www.springframework
.org/schema/beans/spring-beans-2.0.xsd> ">



Assignment of expiration policies for the different tickets
generated by CAS including ticket granting ticket (TGT), service ticket
(ST), proxy granting ticket (PGT), and proxy ticket (PT).

These expiration policies determine how long the ticket they are
assigned to can be used and even how often they can be used before
becoming expired / invalid.



 









 











 

 

 

When I put this policy in place, I get the following errors when trying
to proxyValidate the ST.  I did try setting the policy for longer and
was able to force the TGT to expire pre-maturely by authenticating a
service too quickly.  I don't understand why the
throttleUseAndTimeoutExpirationPolicyy is failing during ST validation.

 

Cas.log contents:

2011-09-21 12:03:13,154 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

2011-09-21 12:03:13,156 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

 

-John

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] cas login throttling error with ticket expiration policy

[Ourada, John]

OK, I think this is a bug Is anybody using the
MultiTimeUseOrTimeoutExpirationPolicy?

 

Here is a code snippet from AbstractTicket.java

 

public final boolean isExpired() {

return this.expirationPolicy.isExpired(this) ||
(getGrantingTicket() != null && getGrantingTicket().isExpired()) ||
isExpiredInternal();

}

 

This applies to TicketGrantingTicket and ServiceTicket

 

When ServiceTicket.isExpired() is called it checks itself and it's
expirationPolicy, it then checks its TGT.isExpired which checks the
TGT's policy also. Which will almost always be under the expected
p:timeInBetweenUsesInMilliSeconds="2000" parameter.

 

I have tried to set the timeInBetweenUsesInMilliSeconds parameter to
under 10ms and I can get it to work (mostly).  I don't think that that
is very helpful as it is too short of a timeframe.

 

Here is also a debug listing from cas.log that shows this happening:

2011-09-23 11:58:37,843 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated
service for: http://www.depaul.edu

2011-09-23 11:58:37,843 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to
retrieve ticket [ST-2-odFloVCeBleCfW6IFNPt-cas]

2011-09-23 11:58:37,843 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket
[ST-2-odFloVCeBleCfW6IFNPt-cas] found in registry.

2011-09-23 11:58:37,850 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

2011-09-23 11:58:37,850 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket
[ST-2-odFloVCeBleCfW6IFNPt-cas] has expired.

2011-09-23 11:58:37,851 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

2011-09-23 11:58:37,851 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket
[ST-2-odFloVCeBleCfW6IFNPt-cas] from registry

2011-09-23 11:58:37,852 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to
retrieve ticket [ST-2-odFloVCeBleCfW6IFNPt-cas]

2011-09-23 11:58:39,101 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not
generate service.

2011-09-23 11:58:39,101 DEBUG
[org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not
generate service.

 

From: Ourada, John [mailto:jour...@depaul.edu] 
Sent: Thursday, September 22, 2011 9:25 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] cas login throttling error with ticket
expiration policy

 

I didn't add to this that the proxyValidate call fails the ST validation
so the client isn't able to complete the authentication.

 

I would really like to implement this and am wondering if I am missing
something.

 

-John

 

From: Ourada, John [mailto:jour...@depaul.edu] 
Sent: Wednesday, September 21, 2011 12:15 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] cas login throttling error with ticket expiration
policy

 

I configured login throttling per:
https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy

 

Here is the config contents:

 



http://www.springframework.org/schema/beans";

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

   xmlns:p="http://www.springframework.org/schema/p";

   xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
<http://www.springframework.org/schema/beans%20http:/www.springframework
.org/schema/beans/spring-beans-2.0.xsd> ">



Assignment of expiration policies for the different tickets
generated by CAS including ticket granting ticket (TGT), service ticket
(ST), proxy granting ticket (PGT), and proxy ticket (PT).

These expiration policies determine how long the ticket they are
assigned to can be used and even how often they can be used before
becoming expired / invalid.



 









 











 

 

 

When I put this policy in place, I get the following errors when trying
to proxyValidate the ST.  I did try setting the policy for longer and
was able to force the TGT to expire pre-maturely by authenticating a
service too quickly.  I don't understand why the
throttleUseAndTimeoutExpirationPolicyy is failing during ST validation.

 

Cas.log contents:

2011-09-21 12:03:13,154 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

2011-09-21 12:03:13,156 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.

 

-John

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu
To unsubscribe, change 

RE: [cas-user] Logging out

[Ourada, John]

Tom, you may be running into security with VS.  I am not an expert with
VS, but the sessions it start as part of your debugging are protected.
The cookie values are isolated.  I have run into similar functionality
when starting browsers from VS while debugging.  Try just browsing to
the local application instead of Debugging the application.

-John

-Original Message-
From: Tom [mailto:snthdiu...@gmail.com] 
Sent: Friday, September 23, 2011 10:35 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Logging out

Okay, the situation is indeed weird, and i've tracked it down to a
degree..

With my app on  and cas on , i can log in and
log out of cas without issue (so when i return to app after logout, it
asks for user/pass, same with other apps that use cas)

With my app on localhost and cas on , the weird error happens
that i log out of app, go to  for logout, and return
to my localhost app, my iframe containing the cas page on
 just logs the user back in.

I don't fully know if it's because of localhost-server differences, or
because localhost is actually my visual studio debug environment, but in
the regular case where i deploy my app, it does work the way it should.

To answer the question raised by Andrew: i have to use the iframe way,
because of customer requests :-/ I've already set my cookie to be
regular http too (not just https)

I still need to investigate cas logs, will be for next week..

Thanks for the input already, cheers,
  Tom

On Fri, Sep 23, 2011 at 3:31 PM, Marvin Addison
 wrote:
>> When I (in the same browser session) return to my app's login page 
>> (which has an iframe to CAS), CAS immediately logs in again as if it 
>> were still authorized
>
> Can you access services without further authentication at CAS?
>
> M
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> snthdiu...@gmail.com To unsubscribe, change settings or access 
> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>

--
You are currently subscribed to cas-user@lists.jasig.org as:
jour...@depaul.edu To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] HA

[Ourada, John]

We using Terracotta to provide the redundancy for Tomcat.  It is a big package 
to add, but it is a relatively easy setup and may be something that you find 
useful for your other Tomcat apps.  Take a look at NAU's presentation. 
 
-John



From: Marvin Addison [mailto:marvin.addi...@gmail.com]
Sent: Tue 9/27/2011 7:43 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] HA



> So... if repcache isn't working and/or isn't worth the headache, what's the
> best way to share the Ticket Registry on a couple of CAS servers?

If I were doing it all over again I'd go with memcached.  The
simplicity of the software and integration is very appealing to me
personally, but it may not be for everyone.  You should search the
cas-user list archives for a lengthy discussion I posted in the past
quarter where I argued that memcached alone is sufficient.  It goes
into further details of the limitations/caveats of a memcached-only
solution.  I'd recommend staying away from Tomcat session clustering
if you can avoid it; IMO it provides little bang for substantial buck
in terms of complexity.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS server: client ip address and server ip address

[Ourada, John]

Richard, you need to be using Tomcat 6.0.24 and above... (or close to that... 
).  I am assuming that you are having a proxy issue and that you need to 
replace the ip address of the proxy with the ip address of the original client.

-John

In server.xml, you will add something like this:

Please look at tomcat documentation on RemoteIpValve.

The internal Proxies are important to set to either your proxy or set of 
proxies.

This needs to be above your host entry.

  

-Original Message-
From: Richard [mailto:richard.z...@gmail.com] 
Sent: Sunday, October 02, 2011 4:45 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS server: client ip address and server ip address

I just set up a CAS server, and it runs well.

When I logged in, I can see some log information, such as:

[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManagera] - Audit 
trail record BEGIN =
WHO: [username: username_here]
WHAT: TGT-1-IaiihBPW9YutN6qRh42A2leWzTiVXO4IDeJrAHg1nSjtEuf4sK-cas
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Oct 03 10:07:58 NZDT 2011
CLIENT IP ADDRESS: my client ip address
SERVER IP ADDRESS: my server ip address
=

But after I put Nginx before CAS, I always get 127.0.0.1 as client ip address 
and server ip address.

How can I get correct client ip address and server ip address?

Cheers,

Richard 

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS server: client ip address and server ip address

[Ourada, John]

Sorry, Richard, I am not familiar with Jetty.

-John
- Original Message -
From:Richard Zeng 
To:"cas-user@lists.jasig.org" 
Sent:10/03/2011 3:43 PM
Subject:Re: [cas-user] CAS server: client ip address and server ip address


Hi John,

Thank you very much for your help.

I am running on Jetty. My CAS is running at http://my.server:9090/cas,
and if I use this url, I can see the correct ip address.

When I put Ngnix in front of it, I added this in my Ngnix config file:

location /cas {
   proxy_pass http://localhost:9090/cas;
}

So I can access it through http://my.server/cas

But then I only get 127.0.0.1 as server ip address and client ip address.

Is there anything similar in Jetty, like RemoteIpValve in Tomcat.

The only reason I can't run in Tomcat is because I have problem to run
it in Tomcat. That will be another topic, because I am in a complex
environment. I'll start another thread soon about my Tomcat problem.

Cheers,

Richard

On Tue, Oct 4, 2011 at 2:58 AM, Ourada, John  wrote:
> Richard, you need to be using Tomcat 6.0.24 and above... (or close to that... 
> ).  I am assuming that you are having a proxy issue and that you need to 
> replace the ip address of the proxy with the ip address of the original 
> client.
>
> -John
>
> In server.xml, you will add something like this:
>
> Please look at tomcat documentation on RemoteIpValve.
>
> The internal Proxies are important to set to either your proxy or set of 
> proxies.
>
> This needs to be above your host entry.
>
>  internalProxies="140.192.*.*"
>remoteIpHeader="x-forwarded-for"
>
>protocolHeader="x-forwarded-proto"
>/>
>
> -Original Message-
> From: Richard [mailto:richard.z...@gmail.com]
> Sent: Sunday, October 02, 2011 4:45 PM
> To: cas-user@lists.jasig.org
> Subject: [cas-user] CAS server: client ip address and server ip address
>
> I just set up a CAS server, and it runs well.
>
> When I logged in, I can see some log information, such as:
>
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManagera] - Audit 
> trail record BEGIN 
> =
> WHO: [username: username_here]
> WHAT: TGT-1-IaiihBPW9YutN6qRh42A2leWzTiVXO4IDeJrAHg1nSjtEuf4sK-cas
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Mon Oct 03 10:07:58 NZDT 2011
> CLIENT IP ADDRESS: my client ip address
> SERVER IP ADDRESS: my server ip address
> =
>
> But after I put Nginx before CAS, I always get 127.0.0.1 as client ip address 
> and server ip address.
>
> How can I get correct client ip address and server ip address?
>
> Cheers,
>
> Richard
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> jour...@depaul.edu To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> richard.z...@gmail.com
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Login Ticket in CAS Cluster

[Ourada, John]

Am I missing something? What happens when the server validates the service 
ticket (ST)?  The LB won't know about the client's sticky session.  It may 
attach to the wrong server and not find the service ticket created by the 
client browser.

There is an extra step, correct?  The application must connect to the server 
where the ST was created.  Most likely using the suffix of the ST to find that 
server.

The issue with this scenario is that you are just splitting the load and not 
really creating a cluster.  Only half of your clients are affected if one 
server fails or is taken out of service.

For a while we used a poor man's fail-over.  The LB looked for a file in the 
/ROOT webapp, if it found it, that server could be marked up.  It also checked 
that the /cas/login page was returning status=200OK.   This gave us (the 
administrators of CAS) control over which server was active without having to 
bug the administrator for the LB.

-John

-Original Message-
From: Marvin Addison [mailto:marvin.addi...@gmail.com] 
Sent: Tuesday, October 04, 2011 8:26 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Login Ticket in CAS Cluster

> Thanks Scott.  I'm guessing then to avoid clustering the HTTP session 
> we'd need to use sticky sessions on our load balancer?

Correct.  I should note that there used to be a capability in Spring Web Flow 
1.x where flow execution state could be stored client-side to facilitate truly 
stateless clustering, but this capability was removed in 2.x, which is the 
version we're using.  It's my understanding this capability will be restored in 
a future version.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS Server 3.4.10: Problem with ThrottledUseAndTimeoutExpirationPolicy

[Ourada, John]

I submitted another reply to my previous one as it looks like the throttle 
check is done on both the creation of the TGT and the verification of the ST.  
I had posted the code where the error was also.
 
-John



From: Fesenmeyer, Daniel [mailto:daniel.fesenme...@sybit.de]
Sent: Thu 11/3/2011 9:47 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS Server 3.4.10: Problem with 
ThrottledUseAndTimeoutExpirationPolicy



Hi,

 

I have some problem with ThrottledUseAndTimeoutExpirationPolicy.

 

The documentation says that "timeInBetweenUsesInMilliSeconds" is the "minimum 
amount of time permitted between consecutive uses of a ticket".

I set this value to 20 seconds. I thought that it would prevent a CAS client to 
validate a ticket again and again. So I expected to get an error when the 
timeframe between two validations would be less than 15 seconds. (Which should 
never occur, because the CAS Client for Java imho validates only once per 
ticket.)

 

But with this setup, I always got an error. I had to set this value to about 
one second to get it work. It seems that the "timeInBetweenUsesInMilliSeconds" 
is - at least in case of the first validation- the time between ticket creation 
and validation. This is why I had to set the value so low that the use of 
ThrottledUseAndTimeoutExpirationPolicy is quite useless for me.

 

I found another post on ThrottledUseAndTimeoutExpirationPolicy (with 
proxyValidate) which is quite similar to my problem: 
http://www.mail-archive.com/cas-user@lists.jasig.org/msg09823.html

But I use samlValidate instead of proxyValidate.

 

Does someone use ThrottledUseAndTimeoutExpirationPolicy and can help me with 
this issue?

 

Thanks,

Daniel

 

-- 
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] about "Audit trail record"

[Ourada, John]

There is a java class that would be modified. I am not setup to do that. 

We could put it in a db without mod.

Right now the logs are being splunk'd.

What do u need??
- Original Message -
From:Richard 
To:"cas-user@lists.jasig.org" 
Sent:11/30/2011 5:36 PM
Subject:[cas-user] about "Audit trail record"


In CAS, after you logged in, you got something like this in your log file:


INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] about "Audit trail record"

[Ourada, John]

Oops. Wrong Richard. Sorry.
- Original Message -
From:Richard 
To:"cas-user@lists.jasig.org" 
Sent:11/30/2011 5:36 PM
Subject:[cas-user] about "Audit trail record"


In CAS, after you logged in, you got something like this in your log file:


INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI Filter / Encoded Service URL

[Ourada, John]

Aaron,

From my recent experience, you will want to avoid ISAPI filters as there is a 
bug that doesn’t work with Chrome.  It has to do with in properly terminated 
headers. UC Davis has updated their code to fix this, but there are questions 
about support from them.

I ended up doing some testing and was able to use the .Net client to provide 
authentication in front of IIS7 and greater.

Here is an article on how to do it.

-John

https://wiki.jasig.org/pages/viewpage.action?pageId=35389878

From: Aaron Grant [mailto:asgr...@oakland.edu]
Sent: Thursday, September 25, 2014 11:11 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS ISAPI Filter / Encoded Service URL

Hi Everyone,

We have a vendor who has selected the ISAPI Filter on this page: 
https://wiki.jasig.org/display/CASC/ISAPI+Filter (the zip file that is linked)

They are now having issues when the request comes back from our CAS Server 
(v3.5) with a valid ticket the URL is still URL Encoded. Example: 
http://host/file.aspx%3ff%3d8CgAAg4D

I was wondering if anyone had some insight on this issue. I have some ideas of 
what might be going on, but it would be nice to hear some other opinions.

Thanks!

--
Aaron Grant
Senior Applications Architect
Oakland University - UTS




--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Drop the management webapp

[Ourada, John]

Ours changes very infrequently also, but has started changing more now that we 
have external apps that need to authenticate.  Those require a manual entry in 
the deployer config file.  It requires a manual restart of CAS application to 
reload them.  I haven’t looked at 4.1 yet, but it would be nice if the app 
would look for updated service registry files and reloaded them periodically.

-john

From: Christopher Myers [mailto:cmy...@mail.millikin.edu]
Sent: Monday, July 27, 2015 7:16 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Drop the management webapp

Honestly, our CAS configuration changes so infrequently that we don't even need 
to use a regular service registry; we just have our configs stored in the 
deployerConfigContext.xml file directly.


Chris


>>> Jérôme LELEUmailto:lel...@gmail.com>> 07/26/15 9:08 AM >>>
Hi,

The CAS service model has strongly evolved for the CAS server v4.1 and the 
powerful new policies are hard to define through a UI. Maintining this webapp 
requires a lot of work.
The default services registry is now based on JSON files which also makes 
manual editing a lot easier.

I'm in favor of dropping the CAS management webapp or maybe first moving it 
into a separate project.

I'd like to get feedbacks on this idea: do CAS deployers use it? How?

Thanks.
Best regards,
Jérôme


--
You are currently subscribed to 
cas-user@lists.jasig.org as: 
cmy...@mail.millikin.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Drop the management webapp

[Ourada, John]

Thanks Jérôme!  I was aware of the DB method, but didn’t really want or need to 
implement it.

The JSON method will make that much easier without the additional config and 
reliance on a DB.

I will have to look more at 4.1 and move off of 3.58.

-John

From: Jérôme LELEU [mailto:lel...@gmail.com]
Sent: Monday, July 27, 2015 8:34 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Drop the management webapp

Hi,

It's already possible to reload the services periodically from database for 
example, but not when it's defined in the Spring context.

With the new JSON services registry, the services are automatically created, 
updated and deleted.

Best regards,
Jérôme


2015-07-27 15:20 GMT+02:00 Ourada, John 
mailto:jour...@depaul.edu>>:
Ours changes very infrequently also, but has started changing more now that we 
have external apps that need to authenticate.  Those require a manual entry in 
the deployer config file.  It requires a manual restart of CAS application to 
reload them.  I haven’t looked at 4.1 yet, but it would be nice if the app 
would look for updated service registry files and reloaded them periodically.

-john

From: Christopher Myers 
[mailto:cmy...@mail.millikin.edu<mailto:cmy...@mail.millikin.edu>]
Sent: Monday, July 27, 2015 7:16 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] Drop the management webapp

Honestly, our CAS configuration changes so infrequently that we don't even need 
to use a regular service registry; we just have our configs stored in the 
deployerConfigContext.xml file directly.


Chris


>>> Jérôme LELEUmailto:lel...@gmail.com>> 07/26/15 9:08 AM >>>
Hi,

The CAS service model has strongly evolved for the CAS server v4.1 and the 
powerful new policies are hard to define through a UI. Maintining this webapp 
requires a lot of work.
The default services registry is now based on JSON files which also makes 
manual editing a lot easier.

I'm in favor of dropping the CAS management webapp or maybe first moving it 
into a separate project.

I'd like to get feedbacks on this idea: do CAS deployers use it? How?

Thanks.
Best regards,
Jérôme


--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
cmy...@mail.millikin.edu<mailto:cmy...@mail.millikin.edu>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
jour...@depaul.edu<mailto:jour...@depaul.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
lel...@gmail.com<mailto:lel...@gmail.com>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
jour...@depaul.edu<mailto:jour...@depaul.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS log X-Forwarded-IP

[Ourada, John]

We did it using a valve in the tomcat server.xml file.The ip address 
reported to CAS is the remote address and not the load balancer.



-John


From: M4t [mailto:m.alexan...@outlook.com]
Sent: Monday, September 28, 2015 9:38 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS log X-Forwarded-IP

Hello

i'd like to log X-Forwarded-IP instead of Remote-IP in cas.log/catalina.out.
Something like :

=
WHO: audit:unknown
WHAT: TGT-1-x
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Sep 28 16:25:09 CEST 2015
CLIENT IP ADDRESS: X-Forwarded-IP
SERVER IP ADDRESS: 127.0.0.1
=
I think it could be possible to change some parameters in log4j.xml with 
"com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager".
But i don't know how to configure it.

Thks for helping me.



--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user