Re: [cas-user] Keeping username field populated
This works: on-entry set name=viewScope.commandName value='credentials' / set name=credentials.username value=flowScope.credentials == null ? '' : flowScope.credentials.username / /on-entry I added the second set tag for view-state id=viewLoginForm. Regards, Yuriy On Sun, Jun 13, 2010 at 8:31 PM, Scott Battaglia scott.battag...@gmail.com wrote: Its mostly because the credentials variable is defined within the view state, so it gets recreated each time. You can instantiate it outside of the view state. The Web Flow 2 Schema should say how. Note, I'm just guessing. I haven't tried it :-) Cheers, Scott On Thu, Jun 10, 2010 at 2:55 PM, Yuriy Zubarev yzuba...@boats.com wrote: Greetings, After upgrading from version 3.3.* to 3.4.* we noticed a small difference in a behavior of login flow and a form. Whenever user provides an incorrect combination of username and password, CAS flow goes back to log-in page with a correct error message but username field is empty. It used to keep its value and I would like to have that behavior back. I guess Spring upgrade might be the root cause and there is a way to adjust the behavior through the maze of Spring XML configuration. I shamelessly wanted to save myself couple of days digging through Spring documentation and ask the community if it's already figured it out. Thank you, Yuriy -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: yzuba...@boats.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Keeping username field populated
Greetings, After upgrading from version 3.3.* to 3.4.* we noticed a small difference in a behavior of login flow and a form. Whenever user provides an incorrect combination of username and password, CAS flow goes back to log-in page with a correct error message but username field is empty. It used to keep its value and I would like to have that behavior back. I guess Spring upgrade might be the root cause and there is a way to adjust the behavior through the maze of Spring XML configuration. I shamelessly wanted to save myself couple of days digging through Spring documentation and ask the community if it's already figured it out. Thank you, Yuriy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Multiple serverNames for one client servlet
We had similar requirements and we worked them out by wrapping Jasig's Authentication Filter by our own Authentication Filter. If anyone is interested in details: http://midnightit.wordpress.com/2010/02/15/cas-branded-authentication-filter/ Regards, Yuriy Zubarev On Sun, Feb 14, 2010 at 7:05 PM, Scott Battaglia scott.battag...@gmail.com wrote: It is a security risk to essentially trust the Host header sent by the client (since its controlled by the client). Its atypical to deploy the same application under multiple hosts (the bulk of our deployers don't). Its often not recommended (what if you decide that you no longer want one domain per language but everyone has bookmarked those URLs?) That said if there's enough interest we could probably allow the serverName to take an accepted list of hosts (though there'd have to be some discussion on cas-dev about it). On Thu, Feb 11, 2010 at 8:15 AM, Sander Bos sander@finalist.com wrote: Hi there, we have one war running multiple websites, e.g. www.example.com and www.example.nl and www.example.de We use the URL to determine what language to show to the user. Now we want to have CAS integration on this site, but it is giving us problems. Because we have one war available under several URLs, we cannot specify just one serverName in the filter configuration (which it always will redirect back to, the redirection to 'service' parameter is the problem, it means an undesired language switch for our users). And it does not appear that there is a way to specify them or get around this with the available Java client. Some googling found these links that seem to indicate it is a security risk: http://www.ja-sig.org/wiki/display/CASC/Using+the+Host+header+for+multiple+DNS+names http://www.ja-sig.org/wiki/display/CASC/CASFilter But we do not want to allow just any host, we know our app represents a fixed set of hosts (all having the same content and security levels, just in different languages), and we want to allow for exactly those hosts to be used (like by the way with the patch of the first URL). We looked at the code, in particular AbstractCasFilter and AuthenticationFilter, there really appears to be only room for one serverName. Also, everything is final so it is not easy for us to add our own extension. For the authentication filter we could wrap the httpservletresponse and intercept the sendRedirect call to change the URL. But we cannot do a similar trick for the validation filter as far as we can see, it will always use the fixed serverName (that will then not necessary match up with the language). Is there something we are overlooking here. I do not think using one war deployment to serve multiple hostnames is such an exceptional situation? Thanks in advance for your reply, Sander Bos -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: yuriyzubar...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] Ensure the same credentials could be used only by one user at the same time
Guys, Any help would be appreciated. Even some links to get started. Thank you, Yuriy On Mon, Oct 19, 2009 at 6:03 PM, Yuriy Zubarev yuriyzubar...@gmail.com wrote: Hi, We have a business rule that forbids two different users to be logged in the system under the same set of credentials at the same time. Does CAS have a support for this? Does this feature have a common name? Non sharable credentials, or something similar? I tried to search archives to see if the question was already asked but WiscList is hardly usable. Thank you, Yuriy Zubarev -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Ensure the same credentials could be used only by one user at the same time
We use JPA so I will investigate the table structure and try to come up with efficient queries. Thank you, Yuriy On Tue, Oct 20, 2009 at 6:09 PM, Scott Battaglia scott.battag...@gmail.com wrote: Just a note that not all ticket registries are searchable, nor is it possibly efficient to search them. The default registry will return an entire collection of tickets, while the memcache registry is unable to. The JPA one will, but to load the entire table of tickets may not be efficient. Cheers, Scott On Tue, Oct 20, 2009 at 9:05 PM, Yuriy Zubarev yuriyzubar...@gmail.com wrote: Thank you, It helps a lot. Yuriy On Tue, Oct 20, 2009 at 5:41 PM, Marvin Addison marvin.addi...@gmail.com wrote: We have a business rule that forbids two different users to be logged in the system under the same set of credentials at the same time. Does CAS have a support for this? No. Does this feature have a common name? Not that I'm aware of. Any help would be appreciated. You will have to develop this functionality on your own. If you don't do any credential-to-principal resolution, this can probably be straightforward. In that case I would recommend extending an authentication handler suitable for your authentication source (e.g. LDAP) that uses a post-authentication process to search the TicketRegistry for TGTs with a principal matching the username of the given credential. If you find a match, return false for the postAuthenticate method. We discussed post-authentication handlers today on another thread if you'd like more background. M -- You are currently subscribed to cas-user@lists.jasig.org as: yuriyzubar...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: yuriyzubar...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] PKIX path building failed: What do I have to do?
Hi, If you have a self-signed SSL certificate then you could try these instructions: http://blogs.sun.com/andreas/entry/no_more_unable_to_find They worked for us. Regards, Yuriy On Mon, Sep 28, 2009 at 2:31 PM, Lee, Sung sung...@tamu.edu wrote: I am trying to test the connection to our new CAS 3 server. I made my local Tomcat server as SSL-capable. But when I connect CAS, I get this exception. SEVERE: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Do I need a certificate from an authorized CA? Or is there a way to avoid this? Below is the error message. Sep 28, 2009 4:13:26 PM org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator retrieveResponseFromServer SEVERE: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) at java.lang.Thread.run(Unknown Source) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at
[cas-user] CAS Client 3.1
Hi, I wanted to upgrade from using version 2.1.1 of the client to version 3.1 but I cannot find anywhere to download it from. I know it sounds silly but I browsed CAS website and all the repositories I know about. Yuriy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Extending CAS to put more data into session
Hi, Right now when my client app gets authenticated against CAS, the client's session has the following attributes populated: edu.yale.its.tp.cas.client.filter.user edu.yale.its.tp.cas.client.filter.receipt Is it possible to extend CAS to put more info into the session? If so, where do I start? Thank you, Yuriy Zubarev -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user