"cas-user" <cas-user@lists.jasig.org>
Sent: Thursday, October 29, 2015 3:15:51 PM
Subject: Re: [cas-user] Hazelcast deployment architecture - secure tunnel
between nodes?
On Mon, Oct 26, 2015 at 11:16:42AM -0400, Waldbieser, Carl wrote:
> For those of you who have deploye
For those of you who have deployed Hazelcast, are you using a secure tunnel
between CAS nodes (e.g. ipsec)? If so, do you monitor that the tunnel stays
up, and how do you do that?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
--
You are currently subscribed to
Looks like you authenticated successfully, but CAS is unable to authorize you
to use the service. Not sure how it works in CAS4, but in 3.x you have to
specifically configure a list of admin users.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
If you want to support some kind of federated identity management (and it
sounds like you do), using some kind of SAML2 based solution is probably going
to be more straightforward than trying to adapt CAS to that space. Shibboleth
is a prime example of a SAML-based solution, but there are
When placing CAS behind an HTTP proxy, it is possible to include the client IP
connecting to the proxy in an HTTP header that is passed on to the back end CAS
service (e.g. X-Forwarded-For).
Is it possible to configure CAS to log the value of such a header rather than
the actual client IP
of the
session file expiring.
What I am getting is nothing expires and nothing times out ever unless I close
IE.
I hate IE but that what the customer uses.
Thanks
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Tuesday, October 13, 2015 12:36 PM
To
as still open.
I think that CAS has a 2 hour hard timeout as well.
7200 seconds.
This still leaves me with just the issue of this.
How to hook SLO to delete the CAS ticket and then prox back to the web server
and delete the temp file in mod_auth _cas?
-Original Message-
From: Waldbieser,
Chris,
Can you provide more detail? I.e. what is your expectation as to what is going
to happen, and what actually happens?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: "Chris Cheltenham"
To: "cas-user"
The /logout resource on the CAS server should destroy the TGT for that user.
It should also destroy the corresponding TGC for the *cas server domain*.
Apache + mod_auth_cas is an extra session for a cas client. From a user-agent
point of view, this session appears to be part of the cas client
I think the way to handle this is for your application to kill all cookies for
your site, which would include the mod_auth_cas session.
It goes something like this:
1) User clicks on logout button/link.
2) Script/program in your app clears out all cookies for the app domain (app
session,
Chris,
It is really an Apache setting [1].
`Directory` indicates the enclosed directives apply to the underlying file
system.
`Location` indicates the enclosed directives apply to resources located outside
of the file system.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
success with passing attributes using
the CAS 2 protocol?
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
From: Waldbieser, Carl waldb...@lafayette.edu
Sent: Wednesday, August 26, 2015 2:09 PM
To: cas-user
In fact, this sounded so familiar, I realized I had wrote a shell script to do
exactly that.
It is attached as service_validate_curl.txt.
Thanks,
Carl
- Original Message -
From: waldbiec waldb...@lafayette.edu
To: cas-user cas-user@lists.jasig.org
Sent: Wednesday, August 26, 2015
I forget whether the PHP CAS client DEBUG mode has a setting where you can see
the raw response. That would be the thing to see.
Otherwise, you make a cURL request with a valid TGC cookie to request an ST.
Once you have it, you can make a second cURL request to validate it and see the
If you could go into more detail, that would probably help.
Do you have a link or docs for the web service you are trying to use?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: Mahantesh Prasad Katti mahantesh.ka...@indecomm.net
To: cas-user
, August 12, 2015 10:21:06 PM
Subject: Re: [cas-user] mod_auth_cas - trust question
On Wed, Aug 12, 2015 at 8:57 PM, Waldbieser, Carl
waldb...@lafayette.edu wrote:
I still wasn't able to get using a folder of PEM files to work.
Did you hash the files with OpenSSL's c_rehash?
--
You are currently
, Aug 12, 2015 at 2:59 PM, Waldbieser, Carl
waldb...@lafayette.edu wrote:
I have mod_auth_cas protecting a web site.
If I *don't* set `CASCertificatePath`, then everything works how I would
expect (CAS authenticates user, service ticket validated, user identifed to
site via REMOTE_USER).
However
Subject: Re: [cas-user] mod_auth_cas - trust question
On Wed, Aug 12, 2015 at 2:59 PM, Waldbieser, Carl
waldb...@lafayette.edu wrote:
I have mod_auth_cas protecting a web site.
If I *don't* set `CASCertificatePath`, then everything works how I would
expect (CAS authenticates user, service ticket
I have mod_auth_cas protecting a web site.
If I *don't* set `CASCertificatePath`, then everything works how I would expect
(CAS authenticates user, service ticket validated, user identifed to site via
REMOTE_USER).
However, if I set `CASCertificatePath` to the full path of a PEM file
Is there some way to tell the Java CAS client what trust store it should be
using?
I may be using the incorrect terminology, so put another way: Is there a way to
tell the Java CAS client that I want it to trust the CA certificates in a
particular keystore file (.jks file) rather than the
for sslConfigFile here in the project's README/docs:
https://github.com/Jasig/java-cas-client
I don't know if that will stop the client from looking into the Java
keystore though. Probably not.
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Wednesday
...@unicon.net
To: cas-user@lists.jasig.org
Sent: Wednesday, August 5, 2015 11:55:32 AM
Subject: RE: [cas-user] Java CAS client and Trust Store
Yes, that should do it.
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Wednesday, August 5, 2015 8:37 AM
To: cas
Geoffrey,
Can you just map both 'uid' and 'cn' to 'UDC_IDENTIFIER'? I could see a
potential issue with that if one directory supports both attributes and there
would be some potential ambiguity about which attribute would actually end up
being mapped.
I am guessing there is likely to be a
Not sure how the mail list likes attachments.
I have attached a tarball cas-splunk.tgz that has several of the more useful
dashboards.
Nothing that follows every service access-- I think that will require some
unusual joins.
However, some of the statisics dashboards give some good high level
Yes, I have some nice splunk dashboards for CAS I can share if there is
interest.
Though I can sympathize with Marvin about the output format. It required at
the very least some newline mangling before splunk could ingest the logs very
well. Something like: key1=value, key2=value,
Also, here are my settings for cas from
$SPLUNK_HOME/etc/apps/search/local/props.conf:
[cas]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
EXTRACT-cas_log_level =
Rebecca,
On the LDAP side, do the LDAP logs agree that invalid credentials was presented?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: Rebecca Fountain rfount...@tacomacc.edu
To: cas-user@lists.jasig.org
Sent: Wednesday, July 15, 2015
If you crank up the log levels on Tomcat, you should see an HTTP POST in the
access logs.
That would indicate the credentials are delivered successfully to the CAS
application.
Do you see any evidence in your LDAP logs that an LDAP connection was dropped
mid-stream?
Thanks,
Carl Waldbieser
Dave,
We are going ahead with sticky sessions behind an nginx proxy.
Authentication at the CAS server is not RESTful due to (I believe) the Spring
conversational state.
A shared session would be one way to accomplish that, but that seems like a
rather complex solution to me.
We've tested with
Mike,
Are you sure it is not some kind of ACL issue on the AD side?
When one account can cause the system to behave correctly but another cannot,
it usually boils down to a permission issue.
If LDAP logs are inaccessible or difficult to decipher, I sometimes insert an
LDAP proxy between my
)
ldap.authn.format=%s...@fuller.edu
Thanks for taking a looking at this.
On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl waldb...@lafayette.edu
wrote:
Mike,
Could you post the non-sensitive parts of your LDAP configuration?
We are using CAS 3.x and usin OpenLDAP so it is not necessarily
Mike,
Could you post the non-sensitive parts of your LDAP configuration?
We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good match,
but our settings look like:
# == LDAP Authentication settings ==
ldap.authentication.filter=uid=%u
to authenticate the user.
Thanks,
Mike
On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl waldb...@lafayette.edu
wrote:
Mike,
I did notice this while going over the instructions:
The following configuration authenticates users by sAMAccountName
without performing a search, which requires
Service ticket validation is more or less integral to how CAS works.
Maybe if you could explain a bit more in depth what you are trying to
accomplish, it might make more sense to the members of the community, and you
could receive better advice.
Also, why do you believe there would be some
Phil,
You could issue a pull request on GitHub:
https://github.com/Jasig/phpCAS
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: Phil Romov pro...@harryfox.com
To: cas-user@lists.jasig.org
Sent: Monday, June 8, 2015 10:56:41 AM
Subject:
Jason,
What do you put for the baseDN when it *does* work? Something like
`ou=physics,dc=test,dc=com`?
Are you able to use a generic LDAP query tool (e.g. `ldapsearch`) to query from
both base DNs using the *same* credentials that CAS is trying to use? It
sounds like it could be an ACL
Jason,
Is this for CAS server 4.x?
To clarify, are you saying that any service entries you add dynamically via the
web interface end up in the JSON file, but no longer appear in the web
interface? Is CAS acception login requests for those services or not?
Thanks,
Carl Waldbieser
ITS Systems
with JSON Services Registry
This is for CAS 3.5.3. Yes, any service entries added via the web
interface end up in the JSON file but not in the web interface.
CAS does not authorize the websites that are added.
On Fri, Jun 5, 2015 at 12:11 PM, Waldbieser, Carl waldb...@lafayette.edu
wrote:
Jason
how to enable it
It might also be something to do with tomcat, as I copied over the entire
webapps/cas directory from an older working version, and it doesn’t work
on my new tomcat install.
Really puzzled. Any pointers are appreciated.
Thanks!
Phil
On 5/28/15, 9:28 AM, Waldbieser, Carl waldb
to
modify the deployed war. Set org.jasig or other appropriate packages to
DEBUG. Depending on your configuration, logs will be written to cas.log
or
tomcat's log directory, etc.
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Friday, May 29, 2015 11:13 AM
pointing to the
logs!
At this point I might try to sniff the network traffic instead :X
Any other ideas are welcome
Thanks
Phil
On 5/26/15, 3:18 PM, Waldbieser, Carl waldb...@lafayette.edu wrote:
Phil,
Can you tell if your CAS instance is actually connecting to your MySQL
database
Phil,
Can you tell if your CAS instance is actually connecting to your MySQL database
to authenticate?
Can you look at the MySQL query log to see what queries your CAS instance is
making against it?
https://dev.mysql.com/doc/refman/5.1/en/query-log.html
Thanks,
Carl Waldbieser
ITS Systems
You need to use the CAS v3.0 protocol, or there is a hack that lets you use
attributes with the CAS v2.0 protocol.
Since you are using the v4.0 server, I would just use the v3.0 services.
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
- Original Message -
From: Fredy
PM, Waldbieser, Carl
waldb...@lafayette.edu wrote:
We use nginx in front of CAS-proteted services at Lafayette.
Can you share any details of your setup?
Do you have just a single CAS node?
Where does the communication break down? Can you not browse to CAS? Does
the redirect to the service
We use nginx in front of CAS-proteted services at Lafayette.
Can you share any details of your setup?
Do you have just a single CAS node?
Where does the communication break down? Can you not browse to CAS? Does the
redirect to the service fail? Is the service not able to perform the back
Nancy,
If you use the RESTful API, I think your robot would need to present a
credential to CAS to authenticate.
If you are using proxy-CAS, the user presents a credential to the CAS server
and then some service the user authenticates to via CAS is allowed to
authenticate to another service
to create another own CA or have I to import
server CA into $JAVA_HOME/jre/lib/security/cacerts (client)??
Sorry but all this is new for me!!
Thanks
Gianluca
Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha scritto:
Gianluca,
Is this a development environment
*mydomain.crt* -keystore
*keystore.jks*Thanks
Gianluca
Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha
scritto:
Gianluca,
For development, I like to use the openssl tools to create my own CA and
use it to sign my own certificates rather than using a self-signed
certificate
Gianluca,
Is this a development environment or is it a production environment where
user's web browsers need to trust the certificate? In the latter case, you
will need to generate a private key, make a certificate request, and get
certificate signed from a Certificate Authority (CA).
In a
If your are using a Regex matcher, you need to end in something like '.*' ('.'
means any character, '*' means zero or more times).
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
- Original Message -
From: Yannick MOLINET yann...@adn-systemes.fr
To:
test it out myself, but I don't have access to the
application, nor any current PHP applications to test with at the moment.
On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote:
Ben,
Likely, you also have some kind of PHP session for the application.
= Generally speaking, logging
Ben,
Likely, you also have some kind of PHP session for the application.
= Generally speaking, logging out of CAS SSO does *NOT* log you out of any
application sessions. =
So you might want to clear any normal PHP session prior to calling
`phpCAS::logout()`.
Thanks,
Carl Waldbieser
ITS
I have noticed the JSESSIONID cookie, typical for a lot of Java apps.
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
- Original Message -
From: Jayakumar Jayaraman india@gmail.com
To: cas-user@lists.jasig.org
Sent: Monday, February 16, 2015 12:24:40 PM
Subject:
=$SERVICE --data ticket=$ST
$SERVICE_VALIDATE
On Wed, 11 Feb 2015, Waldbieser, Carl wrote:
Can you use a command line HTTP client like cURL[1] or httpie[2] to request
an ST and validate it? Here is a unix shell script I use with httpie to
inspect CAS validation responses:
#! /bin
Can you use a command line HTTP client like cURL[1] or httpie[2] to request an
ST and validate it? Here is a unix shell script I use with httpie to inspect
CAS validation responses:
#! /bin/sh
CAS_LOGIN=https://cas.example.net/cas/login;
Yes.
The service ticket can only be used once.
Once a service validates the service ticket, it ought to establish some kind of
local application specific session.
The fact that the ticket is being validated twice suggests that maybe the
client is configured incorrectly.
Thanks,
Carl Waldbieser
On Wed, Feb 11, 2015 at 10:01 AM, Durga Prasad cdp@gmail.com wrote:
Hi Carl,
Superb explanation. Really articulated well.
Thanks much.
Regards,
Prasad
On Mon, Feb 9, 2015 at 10:33 PM, Waldbieser, Carl waldb...@lafayette.edu
wrote:
Prasad,
1. CAS uses a Ticket Granting cookie
Prasad,
1. CAS uses a Ticket Granting cookie (TGC) to track the TGT issued during
authentication.
2. CAS does not specifically protect from these attacks. However, if you are
using TLS as the transport layer for your services, that protects againast MITM
and replay attacks. Cross Site
] Cas client gateway mode
No, it doesn't have the extra parameters, if I change the form to submit
data by GET method, then it works OK, but when I do it by POST, extra
parameters are discarded.
El lunes, 2 de febrero de 2015, 16:24:40 (UTC-2), Waldbieser, Carl escribió:
Carlos,
When
, somehow it
doesn't preserve post parameters. Maybe that's the way it is supposed to
work, but if that is the case, I need to know how to submit with POST
method without losing the form data.
El lunes, 2 de febrero de 2015, 17:54:19 (UTC-2), Waldbieser, Carl escribió:
Carlos,
Are you saying
Linda,
Is there any indication (e.g. from proxy logs) that the accounts that are
failing over are actually making requests against the proxy? In other words,
do you have any indication whether the issue is that the fail over requests are
never being made or that the requests are being made
Carlos,
When the user's browser is redirected to CAS for authentication, does the
`service` parameter already have the extra parameters embedded and properly
encoded in it?
I.e., can you use something like [developer tools] - [network] in Chrome and
show us what the HTTP request parameters
Chris,
It is true, you don't need to use a Service Manager, but that means that *any*
service can use your CAS. This might not be what you want-- a rouge service
provider could leverage your CAS in order to fool your users into thinking it
is trustworthy service. Once authenticated, it may
Adam,
Proxy Granting tickets *are* reused. Service providers get a PGT during proxy
validation, and then can use them to request proxy tickets multiple times.
Proxy Tickets (PTs) are one use only, just like service tickets (STs).
The current protocol spec [1] states (section 3.3.1)
Chris,
What happens in this scenario?
1) Restart Tomcat.
2) Browse to login page (assuming you mean CAS login with no service) = SUCCESS
3) Use another browser, log in as *same user* as in #2 = ???
Not sure, but I think plain text encoding for the password is probably a
default. For LDAP
= FAIL
#-Original Message-
#From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
#Sent: Wednesday, January 21, 2015 9:20 AM
#To: cas-user@lists.jasig.org
#Subject: Re: [cas-user] Authentication problems using MySQL with CAS 4.0.0
#and Tomcat 8
#
#Chris,
#
#What happens in this scenario
Chris,
Here are some links that might help:
http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work
http://datacenteroverlords.com/2011/09/25/ssl-who-do-you-trust/
The basic idea is that in that when you surf the web, your browser connects to
a web server over a TCP
Zac,
This SO question/answer describes what the error is trying to tell you:
http://stackoverflow.com/questions/9533786/spring-web-flow-locktimeoutexception
So it looks like the Spring Webflow conversation is taking too long. As the
answer points out, troubleshooting is tricky because the
to use the
LdapPersonAttributeDao in the attributeRepository.
What else do I need to do to enable them at the server?
Thanks for your help.
Mike
On Thu, Jan 8, 2015 at 12:10 PM, Waldbieser, Carl waldb...@lafayette.edu
wrote:
Mike,
Try turning on debug output in the client with something like
Mike,
Try turning on debug output in the client with something like
`phpCAS::setDebug($debug_file);`.
Then you can see if the attributes are being returned. If not, you may need to
enable them at the server.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original
I found login rate limiting info here:
https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts
Is there a means to limit how many ST validations are allowed per user in a
given unit of time?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message
Dave,
This is more or less what happened to us. We received alerts from our
monitoring systems that /var was filling up on our cas host. In our case, we
had EHCache configured to dump to disk after a certain size limit was reached.
We bounced the service and removed the ticket file.
We
I looked back at the logs-- we actually ran into trouble because this account
was requesting and validating *Proxy Granting Tickets*, so perhaps I spoke to
soon.
I would still be interested in limiting the number of *PGTs* that can be issued
per user over a period of time, though.
Thanks,
-586-2369
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Tuesday, December 02, 2014 12:52 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Cas for Cognos
Chris,
The typical scenario is for the user to authenticate with CAS.
The credentials
: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Wednesday, December 03, 2014 9:24 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Cas for Cognos
Chris,
So what is your service setup like? I.e. what CAS client are you using?
For example, if you are using an Apache front end
@lists.jasig.org
Sent: Wednesday, December 3, 2014 9:59:43 AM
Subject: RE: [cas-user] Cas for Cognos
Carl,
I'll give it a shot and let you know.
Thanks
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu
is very similar but none of seems to work for us.
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Wednesday, December 03, 2014 10:18 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user
are doing is very similar but none of seems to work for us.
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Wednesday, December 03, 2014 10:18 AM
To: cas-user@lists.jasig.org
Subject: Re
Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Wednesday, December 03, 2014 10:52 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Cas for Cognos
Chris,
Is the following relevant documentation for Cognos that you are working with?
http://www.ibm.com
Cheltenham cchelten...@swaintechs.com
To: cas-user@lists.jasig.org
Sent: Wednesday, December 3, 2014 2:10:16 PM
Subject: RE: [cas-user] Cas for Cognos
Carl,
See below
Thanks again.
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
-Original Message-
From: Waldbieser, Carl
Isn't the whole point of CAS so that the service provider *does not get the
user credentials*?
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
- Original Message -
From: Chris Cheltenham cchelten...@swaintechs.com
To: cas-user@lists.jasig.org
Sent: Tuesday, December 2,
to log in twice which defeats the purpose of SSO.
What service provider are you talking about.
Thank You,
Chris Cheltenham
SwainTechs / HHS
Cell# 267-586-2369
-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Tuesday, December 02, 2014 10:49 AM
To: cas
will redirect to C?
Anyway I think is possible to change the logic flow on CAS to redirect to
webapp C.
Another question: if I correctly modify CAS flow how I can have a SAML
token on webapp C ?
Cheers,
Federico
Il 03/nov/2014 19:02 Waldbieser, Carl waldb...@lafayette.edu ha
scritto:
Federico,
If all
3, 2014 11:01:20 AM UTC-5, Waldbieser, Carl wrote:
From the protocol spec [1]:
Its purpose is to prevent the replaying of credentials due to bugs in
web browsers.
[1]
https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket
Thanks
? In the documentation related to Java
CAS Client there isn't a Filter I can use to validate using CAS 3.0 protocol
2014-11-04 14:55 GMT+01:00 Waldbieser, Carl waldb...@lafayette.edu:
Federico,
CAS redirects you to the service parameter passed to the login screen.
A could pass C's service URL
From the protocol spec [1]:
Its purpose is to prevent the replaying of credentials due to bugs in web
browsers.
[1]
https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket
Thanks,
Carl Waldbieser
ITS System PRogrammer
Lafayette College
-
Federico,
It sounds like your users should authenticate with CAS to webapp A or B. Those
services should request proxy granting tickets for webapp C. They should then
request proxy tickets for webapp C and attempt get the user's roles on a back
channel.
Your users would never browse to or
Waldbieser, Carl waldb...@lafayette.edu:
Federico,
It sounds like your users should authenticate with CAS to webapp A or B.
Those services should request proxy granting tickets for webapp C. They
should then request proxy tickets for webapp C and attempt get the user's
roles on a back
for those scenario I want to
protect some services without direct interaction of users.
Anything can be done using CAS for my scenario?
Thanks,
Federico
2014-11-03 18:13 GMT+01:00 Waldbieser, Carl waldb...@lafayette.edu:
Federico,
When a user authenticates to C, can C transparently get the data
Dave,
I haven't worked with Zope before, though I have heard of it.
What CAS-client are your clients using?
I would expect that if the SSL handshake failed, you wouldn't even see it in
your server access logs.
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
- Original
IS the CAS client. It seems to be some
sort of Python-based portal with CAS client support built into it. I
found some very old (ca 2005-2007) references to it in the JASig CAS
documentation even, so it appears to have worked with CAS at least at
some point.
On 10/28/14 11:39 AM, Waldbieser, Carl
If your form pops up *after* the user enters credentials but *before* the user
is redirected the the service, that will probably cause the service ticket (ST)
to expire before it can be validated. STs typically have a short lifetime (~
5-10 seconds).
Thanks,
Carl Waldbieser
ITS System
Adam,
Yes, CAS is only responding to an HTTP request during a /serviceValidate call,
so it has no way of authenticating the requesting host.
Thanks,
Carl Waldbieser
System Programmer
Lafayette College
- Original Message -
From: Adam Causey apcau...@vcu.edu
To: cas-user@lists.jasig.org
Niva,
Do you have any public facing infrastructure in place for which you could give
us a URL, or are your services and CAS deployment all in a private development
area?
What should happen is if you give a URL like this:
if a person can MITM an SSL webpage? I
don't see how MFA would help either.
Andy
On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
The idea is if MITM is possible, this scheme falls down. The MITM can just
present the same pictures.
If it is just someone who phished a password, it does
unless it had already
authenticated the user.
Andy
On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
Or if I set up my phishing web site to look like your login page and pull
your pictures off of your legitimate site.
That is not MITM per say, but I am still positioning myself between
Adam,
We feed our CAS log files to Splunk. It can show us some nice reports on
service usage. I also use it to plot TGT creation on a map, which is sometimes
interesting.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: Adam Causey
Since NoSQL is a kind of catch-all term for any kind of data store that isn't a
RDBMS, it may be hard to generalize.
If you look at some of the more popular present-day NoSQL solutions, many of
them seem to aim at prioritizing Availability and Partition Tolerance over
Consistency (from the CAP
If SSL/TLS is not available, you are going to have a lot of problems.
Simply encrypting the password is not going to solve them.
Here are some questions you might think about:
For symmetric encyption/decryption to work, the browser and the server must
both have access to a shared secret.
How
Etienne,
Can you clarify? Is your CAS login form trying to upload a file during the
authentication process?
It is not clear to me what you mean when you say you are using a multipart form
request with CAS. (I do understand what a multipart form is-- just not how
you are using one with CAS).
1 - 100 of 121 matches
Mail list logo