Having two CAS clients (mod_auth_cas and phpCAS) in front of one URL is not
going to work. Once mod_auth_cas has validated the service ticket from CAS
(?ticket=foo), it will pass the call through with the ticket stripped off.
phpCAS will then forward back to CAS for an ST, CAS will forward ba
Your problem description is not clear. What is requiring basic authentication?
> -Original Message-
> From: xie [mailto:xiefei...@hotmail.com]
> Sent: Wednesday, September 18, 2013 5:01 AM
> To: cas-user@lists.jasig.org
> Subject: [cas-user] Service requires basic authentication by single
If you can screen scrape, then you should be able to submit the login screen
when you sees it. You just need to include all hidden fields including the LT.
If not, the CAS REST interface might work:
https://wiki.jasig.org/display/CASUM/RESTful+API.
David Ohsie
EMC Corporation
From: Muzaffer T
In general, a properly configured CAS client should be validating the cert when
calling serviceValidate, proxyValidate, or samlValidate to ensure that it is
actually talking to the CAS server and not a "man in the middle". Since in
this case, the CAS client is running inside of CAS itself, the
Is the certificate for your CAS server set up as a trusted cert in the
truststore of the jre used to run CAS? I could be that the ST validation is
failing due to cert validation issues.
David Ohsie
EMC Corporation
> -Original Message-
> From: stefan.pae...@diamond.ac.uk
> [mailto:stef
If you are just looking for a way to enable the login to be validated against
either LDAP or the local store, you could simply write or wire together an
authenticator that does this and have it sit behind CAS. The user enters his
username/password and the authenticator decides how to authentica
Knowing very little about your setup or ehcache, it is possible that the cache
is getting overloaded and the PGT is getting ejected from the cache before it
can be retrieved?
From: Kenneth Erard [mailto:kenneth.er...@gmail.com]
Sent: Wednesday, August 28, 2013 4:03 PM
To: cas-user@lists.jasig.o
We back CAS with authenticators that will look at both ldap and a local user
database. You might want to put the local users in a separate namespace to
avoid collisions (say LOCAL\admin, LOCAL\securityAdmin, etc.). I don't know
of an "off-the-shelf" way to do that, but someone else may.
Davi
Yes, I believe so. It sounds like you have configured App3 to use
"renew=true" to force the user to login whenever App3 wants to authenticate
the user. Since App1 and App2 are configured to accept an authentication
from an already established SSO session, then they will not force another
log
I think that you are thinking of "SiteKey" (and probably similar systems)
http://en.wikipedia.org/wiki/SiteKey. Unfortunately, not clear that it
helps :(.
> -Original Message-
> From: Misagh Moayyed [mailto:mmoay...@unicon.net]
> Sent: Wednesday, August 07, 2013 4:31 AM
> To: cas-user@li
I'm working on getting our code out in open source. I'll see if I can post
some snippets here if they will help...
> -Original Message-
> From: Philippe MARASSE [mailto:philippe.mara...@ch-poitiers.fr]
> Sent: Monday, August 05, 2013 11:02 AM
> To: cas-user@lists.jasig.org
> Subject: Re:
Is it possible to put in rules into the mailing list software to suppress
messages with the following headers?
Auto-submitted: auto-generated
x-auto-response-suppress:all
The first is a "standard" header
http://tools.ietf.org/html/rfc5436#section-2.7.1. The other I think might
b
Thank you for this, I did not relalize that there was a way to make this
work for many browsers...
> -Original Message-
> From: jieryn [mailto:jie...@gmail.com]
> Sent: Friday, July 19, 2013 1:45 PM
> To: cas-user@lists.jasig.org
> Subject: Re: [cas-user] CAS server not returning request p
> I'm also seeing the loss of #k=v URL parameters.
If you are seeing the loss of the "fragment" or "hash" part of the URI (the
part that comes after the #), then this is not a CAS issue. The fragment is
not sent to the server, so the server can't include it in any redirect. The
fragment is ha
Perhaps you want the CredentialsToLDAPAttributePrincipleResolver? I believe
that it sets the principle id to the LDAP attribute set by
setPrincipalAttributeName().
http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas-serve
r-core/apidocs/org/jasig/cas/authentication/principal/Cr
it Kotecha [mailto:rohit.kote...@nihilent.com]
Sent: Friday, July 12, 2013 3:46 AM
To: cas-user@lists.jasig.org
Cc: Ohsie, David
Subject: RE:[cas-user] How to retrieve CAS SSO information on non-secure page
Hi David,
Thanks for quick reply.
If I will configure CAS client with "gateway
ly 11, 2013 1:06 PM
> To: cas-user@lists.jasig.org
> Cc: Ohsie, David
> Subject: Re: [cas-user] CAS attributes not being released
>
> Thanks David,
>
> I'll take a look at it.
>
> Right now, I have my service registry configured as such, which is what
was
&g
You also have to configure the service registry to allow attribute release
for your services. Here is an example of a hardcoded registered service
entry that I have that allows the attribute calle "USER_ROLES" to be
released to any https based service:
Put a cas client in front of app2, ideally at an https served URL. This will
run the usual CAS protocol to get app2 an ST which the CAS client will then
validate to get the logged in user.
If you don't want the user to be prompted for a password, but to only ask CAS
if a user is already log
James, in Chrome of Firefox (and probably others), turn on the feature that
"restores sessions" when you restart.
For chrome you go to this URI: "chrome://settings/"
Then choose, in the section "On Startup", the radio button "Continue where
I left off".
Then try logging into CAS, close the brow
> Subject: [cas-user] Why is proxying so complicated?
>
>
> Why isn't it possible to forward the service ticket to another application
and
> allow this other application to validate this service ticket a second (or
third or
> ...) time?
[DO] I can answer this part of it. If I allow that, then
I hesitate to argue with Jerome but I would suggest a different approach:
Rather than hacking into the CAS webflow, why don't you just create a landing
page/url for your users. That page is CAS protected and once the user has
logged in is responsible for looking at user attributes from CAS and
There was a session on this topic at the Apereo conference:
http://lanyrd.com/2013/apereo/schwpd/
Andrew Petro suggested either
1) Changing the message to tell users to logoff from the OS or lock screen
when they want to leave their seats.
2) A coronal mass ejection
For your own browser, if you
Am 02.07.13 16:47, schrieb Ohsie, David:
The recommended way is to let CAS present the login screen. You can
customize the CAS login screen to look however you want it to look by
supplying your own .jsp or changing the .css.
right, but from a usability point of view it would be nice to
The recommended way is to let CAS present the login screen. You can
customize the CAS login screen to look however you want it to look by
supplying your own .jsp or changing the .css.
David Ohsie
Software Architect
EMC Corporation
From: Michael Wechner [mailto:michael.wech...@wyona.com
1) That looks right, although you might want to use "serviceValidate" which
is part of the CAS 2.0 protocol: http://www.jasig.org/cas/protocol
2) Is it possible for you to use one of the standard CAS "clients" to
protect your application? Then you don't have to implement the protocol.
3
Why don't you apply the CAS client/filter to the generic url
(http://server/cgi-bin/WebObjects/CarambolPRX.woa)? Then you will always have
the same url from the CAS point of view. I think that would be much better
than hacking into CAS to change the way that service URI's are compared. This
This still looks a bit wrong possibly, if you want to actually use that
PGT:
You want to put in a URI to your cas client, not your cas server. Your cas
client needs to receive the PGT.
From: Karl Nielsen [mailto:karlnielsen...@gmail.com]
Sent: Wednesday, June 26,
Is it like for each back end service a PGT is required ?
[DO] The PGT is obtained one time when the original ST is validated. That
one PGT is used to aquire a many PT's: one PT for each service the
application is trying to access.
Thanks,
Sushant.
On 19-Jun-2013 11:43 PM, "Oh
Let's see if this can help:
1) The CAS client wants to request a PGT while it is validating the ST.
2) However, CAS server doesn't want to return the PGT to the service,
because it doesn't really know the identify of the service it is handing the
PGT to. The ST might have ended up in the
At first blush, it appears that you did not put the
cas-server-integration-ehcache-3.5.2.jar file properly onto the classpath.
You would want to put the jar files into "WEB-INF/lib" and ensure it that
the files are readable by whatever user your servlet container runs under.
David Ohsie
Software
I would try turning on logging in whatever your http server or a java
servlet container is.
E.g. if you are using apache as a front end, you can use mod_dumpio:
http://httpd.apache.org/docs/2.2/mod/mod_dumpio.html
If you are using tomcat, you can use the Access_Log_Valve:
http://tomcat.apache.org
Can you read and understand this?
https://www.purdue.edu/apps/account/html/cas_presentation_20110407.pdf
Alternatively, I suggest you trace a CAS interaction using httpfox in firefox
or developer tools in chrome (if you use chrome developer tools make sure to
hit the red button so that the to
Barry, as Jérôme explained, the TGC/TGT is a cookie sent by CAS to the
browser, stored by the browser and only played back to the CAS server by the
browser. "A" has no access to the TGC, so the TGC can play no role in
authenticating the communication from A to B. That is precisely why A
needs th
We did an implementation in cassandra where we set the TTL (time-to-live)
for the row containing the ticket based on the remaining time to expire for
that ticket. When the last use time of the ticket was updated, we updated
the row to push out the TTL. In order to so this, I believe that we had t
major CAS release is going to clean this all up...
david
> -----Original Message-
> From: Ohsie, David [mailto:david.oh...@emc.com]
> Sent: Friday, April 26, 2013 5:50 PM
> To: cas-user@lists.jasig.org
> Subject: RE: Re:[cas-user] Getting more information into
> cas:serviceResp
Does the CAS filter apply to your /home page or not?
If the CAS filter is not applying to your /home page, then you will not be
able to tell whether the user is already logged in to CAS via another app. To
achieve this, you will need to apply the CAS filter to "/home". If you don't
want to
I believe that the simplest thing with Java is to use SAML validator. This
doesn’t require any changes in the casServiceValidationSuccess.jsp. You
mention upheaval, but unless you have advanced use cases like PGT or REST and
programmatic access, using the SAML validator is just a different c
So my question is base on which parameter/attribute CAS server will decide
whether to generate service ticket or to forward login page.
and how CAS server come to know same user has requested resource APP2?
The first time the user logs in to CAS, CAS returns a TGC (Ticket Granting
Cookie) to
>
> It did lead me to wonder about the "gateway=true" parameter and whether
> there is a way to somehow use this.
[DO] That setting will ensure that the user doesn’t get a login screen. You
will get a ticket if there is an SSO session established at CAS and not if
there isn't.
>
> I also
> I have two spring security based web applications that both use cas to
> provide authentication against an open ldap identity store.
>
> If a user logs into application 1 (App1) and follows a link to application 2
> (App2) the following takes place:
>
> - Spring (in App1) will call the cas login
This looks like a spring issue, not a CAS issue. It looks like spring is
trying to use a different constructor for LogoutFilter than the one that you
are intending to use. The two constructors are
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/s
pringframework/security
This is really a tomcat question, not a CAS question and it may depend on
your version of tomcat. Here is a possible starting point:
http://fralef.org/tomcat-disable-jsessionid-in-url.html
David Ohsie
Software Architect
EMC Corporation
From: Shaunn Barron [mailto:shau...@gmail.
1) For a GET requests using the java cas client, it goes like this:
Browser does a GET on https://foo.example.com/foo
Service returns a 302 with Location:
https://cas.example.com/cas/login?service=https%3A%2F%2Ffoo.example.com%2Ffoo.
The original URL is in the service query parameter.
Browser
I'm not sure that you are going to be able to achieve this with any easy method:
1) The browser does have to go to the cas server to login. So the url will
start with the location of the CAS server webapp whereever it is. In your
case, it is http://localhost:/cas-server-webapp-3.3.5. You
I agree with Scott, but it also sounds like it doesn't have all that much to
do with authentication. Why not just create a Filter that does whatever you
want to and insert it into the filter chain wherever you need to insert it?
You can check the HttpSession to see whether you've populated the valu
I don't know the answer, but this is how I would start to attack the
problem:
1) Are you sure that your spring security is set up to store the security
context in the HttpSession? I think that is done with
SecurityContextPersistenceFilter. Probably that is set up, but it is worth
checking. I
This is not a place for commercial endorsements, but if you are really under
time pressure on a commercial project and need professional support, there
are experts that you can pay to help (e.g. http://www.unicon.net/, there may
be others).
I don't know anything about implementing custom creden
I only know enough about browser same-origin policies to get me in trouble.
That said, I would try to avoid what your are doing below if possible. Is
there a reason not to allow the user to be presented the CAS login form
instead of collecting it and getting the TGT/ST via javascript?
-Ori
>> What your scheme does do is to enable enforcement of the audience
>> restriction (service parameter), so that only the intended audience
>> can even validate the ticket.
> Indeed, which seems more within reach than the HoK approach. Client certs
used to authenticate the relying party to CAS a
> I do think a security model where service tickets are not merely bearer
tokens will be even better.
Nitpick alert: Andrew, your suggested scheme(s) still leaves ST's as bearer
tokens with time and audience restrictions (audience restriction =
restriction on who the token is intended for). Any
I have two java web modules:
- The first one is acccessed directly by the user and acting as CAS-Proxy
(proxy.war)
- The second one is acting as the proxied service (service.war)
- "proxy.war" is accessing "service.war" via REST calls of type GET.
The Proxy CAS mecanism is working correctlty. I
I was told by others in EMC that this method of ${variable} substitution for a
system property doesn't work anymore in JBOSS 7. I did not verify this first
hand and I don't know much about JBOSS so take that with a grain of salt.
David Ohsie
Software Architect
EMC Corporation
From: Cur
We also successfully use the spring PropertyPlaceholderConfigurer for this
purpose. If you are using spring in your application arlready, this is
probably the easiest path.
David Ohsie
Software Architect
EMC Corporation
From: Andrew Chandler [mailto:a...@riftware.com]
Sent: Wednes
In my experience, mod_auth_cas will gladly validate a proxy ticket as long
as you point it at "proxyValidate" instead of "serviceValidate" as the
ticket validation URI. What it won't do is validate the proxyChain: intead
it will just accept all proxy tickets. Also samlValidate won't work with
pr
r login and CAS
The latest Firefox (v 19.0) on a mac.
Regards,
Danny
On Fri, Mar 1, 2013 at 8:58 AM, Robert Oschwald
wrote:
Are you using Firefox ?
Then this bug might be of interest:
https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c48
Am 01.03.2013 um 14:53 schrieb "Ohsie
you using Firefox ?
Then this bug might be of interest:
https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c48
Am 01.03.2013 um 14:53 schrieb "Ohsie, David" :
So I guess the next natural questions, based on the observations posted here
are as follows:
1) If you close yo
ges are restored.
If you know of a server-side way to prevent this, I'd love to hear it!
Andy
On Thu, 28 Feb 2013, Ohsie, David wrote:
> Andrew, my experience using firefox and chrome (and I think IE as well)
to
> access CAS protected applications differs. If the cookies ar
ne
study. http://www.jiti.net/v11/jiti.v11n3.169-182.pdf
On Thu, Feb 28, 2013 at 2:08 PM, Ohsie, David wrote:
Do you have "Remember Me" turned on?
If not, it is possible that either the session cookies from your site are
persistent (with an an explicit Expires/MaxAge) or els
Do you have "Remember Me" turned on?
If not, it is possible that either the session cookies from your site are
persistent (with an an explicit Expires/MaxAge) or else the cache control
headers are allowing some pages to remain withing the browser cache.
From: Danny Sinang [mailto:d.sin...@g
l recognized the cookie and know that it is the same user as last time,
so it will no require a new PT.
Regards,
Alf.
On Thu, Feb 28, 2013 at 2:58 PM, Ohsie, David wrote:
Generally speaking, once a "CAS Client" validates an ST, the CAS client is
responsible for maintai
Generally speaking, once a "CAS Client" validates an ST, the CAS client is
responsible for maintain the session state with both the principal (username)
and the associated attributes. When you use the Java CAS Client, it will store
those values in the HttpSession object and the session identifi
Did you check what Scott pointed out in a prior email? If you want CAS to
forward you back to the original URL, then you need to use the serverName
parameter when configuring the java cas client. Perhaps you could share
your web.xml?
David Ohsie
Software Architect
EMC Corporation
-Original
Which CAS client are you using?
The validation filters in the Java CAS client have a "useSession" parameter.
If you set it to "false", then the access will not create a session and you
will need to get a ticket for each access. If you combine that with renew set
to "true" and redirectAfterVali
I hope to post more in more detail about this later, but we made a
modification to the CAS client to send back a 401 (with WWW-Authenticate:
X-EMC-CAS) instead of a 302 when the client is a non-browser client and
authentication is needed. Then our non-browser clients can make rest
calls, and when
Jeff, were you able to isolate your problem to CAS using the browser as I
suggested below? Again, I suspect there is an issue with your CAS client or
some other aspect of the system.
David Ohsie
Software Architect
EMC Corporation
-Original Message-
From: Ohsie, David
Sent: Tuesday
ng going on parsing the result.
Robert Ginsburg
rob...@ginsburg.me
(803) 467 - 3329
-----Original Message-
From: Ohsie, David [mailto:david.oh...@emc.com]
Sent: Thursday, February 14, 2013 11:36 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] URL encoding and CAS
OK, I could not
nsburg
rob...@ginsburg.me
(803) 467 - 3329
-Original Message-----
From: Ohsie, David [mailto:david.oh...@emc.com]
Sent: Wednesday, February 13, 2013 11:42 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] URL encoding and CAS
I tried to reproduce your problem, but I got a different resul
The XML parsing in the SAML 1.1 attribute release support is not done using
a proper XML parser. There are are probably a lot of equivalent documents
that you could pass in that the parser would fail at; similarly, you can
probably throw bad XML at it and still get a good response if you put in th
bject: RE: [cas-user] URL encoding and CAS
Thanks,
I am using CAS 3.51, Tomcat 7.0 , JRE 1.7.0 update 11, running on Windows
2008 R2
Robert Ginsburg
rob...@ginsburg.me
(803) 467 - 3329
-Original Message-
From: Ohsie, David [mailto:david.oh...@emc.com]
Sent: Wednesday, February 13, 2
my server.
Robert Ginsburg
rob...@ginsburg.me
(803) 467 - 3329
-Original Message-
From: Ohsie, David [mailto:david.oh...@emc.com]
Sent: Wednesday, February 13, 2013 10:26 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] URL encoding and CAS
Can you report which CAS client y
Can you report which CAS client you are using and also post the URL that is
in your browser address bar at the CAS login page or a log of the web server
requests.
"Long" or "complex" URL's should be working without a problem.
david
-Original Message-
From: Robert Ginsburg [mailto:rob...@
I think that Jérôme probably hit it with this suggestion:
Do you have the parameter redirectAfterValidation set to true for your CAS
validation filter ?
After validating the service ticket, many (most? all?) CAS clients will respond
with a 302 sending you back the the protected URI with o
CAS should be able to handle your example without a problem. There was a
time a number of years ago where the mod_auth_cas client did not properly
encode the URI when creating the "service=" query parameter, but we
contributed back some fixes and I think that they have all been
incorporated. I c
Sorry to bother with a duplicate, but does anyone know the answer to this
question? (Apologies if I somehow missed it).
From: Ohsie, David [mailto:david.oh...@emc.com]
Sent: Wednesday, January 23, 2013 4:07 PM
To: cas-user@lists.jasig.org
Cc: Meunier, Frederic
Subject: [cas-user] Is there a
It looks like you've got an old version (perhaps 1.5.8) of slfj4 libraries
hanging around on your classpath somewhere. See here for more details:
http://stackoverflow.com/a/3528823
In the upgrade from CAS 3.5.0 to 3.5.1, it seems that various logging
libraries were updated including moving jcl
-user] Ticket validation failed when IP changed ?
Looks correct on this – Thanks !
>From “serviceTicketExpirationPolicy.xml” default set to…
Changing to a minute and keeping an eye on responses on log-file.
Perfect !
Cheers
From: Ohsie, David [mailto:
> Thanks gents,
> As stated this is not a problem happening continuously, but today we had an
> occurrence of 26 vs. 3514 successful logins.
> Also I ruled out the timeout as seen on the log, it is within minutes of the
> original request...
The default ST (Service Ticket) expiration perio
Is there a schedule for a release of the Jasig Java CAS client 3.3. There
is a fix in that future version for https://issues.jasig.org/browse/CASC-188
and I prefer to stick with release versions if possible.
Thanks much,
David Ohsie
Software Architect
EMC Corporation
smime.p7s
D
>> It seems like the answer to your Single Sign Out issue in a load balanced
>> environment is fairly simple.
>> Use a shared session mechanism instead of using sticky sessions for your
>> load balanced servers.
> This is incorrect. Since the request is sourced differently from the CAS
> serve
Excellent point to consider. That means that it is very difficult to make PGT
lifetime match application session lifetime. I need some more though on this...
David Ohsie
EMC Corporation
-Original Message-
From: Olivier [mailto:o-dar...@smacl.fr]
Sent: Friday, November 23, 2012 7:48 AM
hat might be configuration that could be expressed more
simply by exposing more of the conceptual domain (TGTs, STs, PGTs) in ticket
expiration configuration.
Kind regards,
Andrew
On Wed, Nov 21, 2012 at 6:58 PM, Ohsie, David
mailto:david.oh...@emc.com>> wrote:
An iteresting approach migh
n isExpired() {
return this.expirationPolicy.isExpired(this) || (getGrantingTicket() !=
null && getGrantingTicket().isExpired()) || isExpiredInternal();
}
[1]:
https://github.com/Jasig/cas/blob/v3.5.1/cas-server-core/src/main/java/org/jasig/cas/ticket/AbstractTicket.java
Andrew
On
Your CAS server is configured so that PGTs have an idle timeout. Maybe that
timeout is too short, or maybe you'd rather they had only a hard timeout. Or
maybe you'd rather they had no timeout at all and expired only when the end
user's CAS single sign-on session ends.
Question: If a PGT has
In case this issue is still active, you need to make sure your are importing
the cert into your "truststore". That is the keystore that has the certs that
you trust and is used to validate the cert on your outgoing https connection.
http://docs.oracle.com/javase/1.4.2/docs/guide/security/jsse/
I find it much easier to debug problems in the CAS protocol with a trace of the
http traffic from the client's point of view. Could you provide such a trace?
Also, have you looked at this:
https://wiki.jasig.org/display/CASUM/RESTful+API
It would spare you from having to scree
Adding just a bit more...
Can TGT expiration be push backed due to client activity?
Yes, you can set the separate "idle" and "hard" timeout for TGT's:
https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
ring the cookie
is really what you want.
Alex.
On 13 November 2012 08:03, Ohsie, David
mailto:david.oh...@emc.com>> wrote:
Any reason to the two apps can't be served by the same apache http server? If
they can, then the same cookie should work for both, I believe.
David Ohsie
EMC
We're using jetty 6 and 7 for some products and tomcat in some others. I don't
have a detailed comparison, but we've definitetly found it easy to configure
customize Jetty and replace parts like the session handler because jetty
configuration is basically just a "spring-like" wiring of the vari
Any reason to the two apps can't be served by the same apache http server? If
they can, then the same cookie should work for both, I believe.
David Ohsie
EMC Corporation
From: Alexandre Chapellon [mailto:alex.chapel...@alfresco.com]
Sent: Friday, November 09, 2012 4:41 AM
To: cas-user@lists.
The Java CAS Client stores identity (and attributes if using attribute release)
in the HttpSession after it validates the service ticket (see source code here:
http://grepcode.com/file/repo1.maven.org/maven2/org.jasig.cas.client/cas-client-core/3.2.1/org/jasig/cas/client/validation/AbstractTicket
91 matches
Mail list logo
