mmoayyed on 6.5.x
sanitize oauth refresh tokens i… (compare)
mmoayyed on master
change module attributes on fea… (compare)
mmoayyed on modulefixes
Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);
I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?
Thanks ;)
Can someone help me with this error:
>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app]>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app>
2022-05-19 14:48:35,687 DEBUG [org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator] - <Grant type received: [client_credentials]>
2022-05-19 14:48:35,687 WARN [org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator] - <Could not locate authenticated profile for this request. Request is not authenticated>
2022-05-19 14:48:35,687 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Access token validation failed>
2022-05-19 14:48:35,688 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-19 14:48:35,689 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-19 14:48:35,689 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>
Testing from postman shows me this:
URL: https://localhost:8443/cas/oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app
{
"error": "invalid_grant"
}
@lgwozniak @mmoayyed
Hi, we configured some services required MFA when authenticate against these services. While this works for CAS applications, it doesn't work for SAML application. In this case MFA is not triggered when the user authenticates earlier against a non-MFA application. Even when logging in without a service/application (which does not trigger MFA at all) and then logging into a MFA application, MFA is not triggered and user is directly redirected back to the application. We're using CAS 6.3.6 - this this intended behavior?
Can you help us look at this problem? I think this is a security risk.
Hi, I install Apereo CAS and can't use self registration. I don't need SMS just only email but I haven't found how complitly disable SMS.
[33m2022-06-08 15:10:49,598 WARN [org.apereo.cas.notifications.DefaultCommunicationsManager] - <Could not send SMS to [+1 123 123 1231] because either no from/text is found or SMS settings are not configured.>[m
@Alizee-Me
Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);
I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?Thanks ;)
I have the same problem. Why was the expected JSON-Format changed from 6.3 to 6.5?
Hello, I'm trying to get a configuration server overlay to read properties from AWS SSM. However, I'm getting an error as soon as I add the dependency on cas-server-support-configuration-cloud-aws-ssm . I have my AWS creds/etc in application.yml and the trace messages indicate that it's connecting and reading them successfully. The error I get is this:
'<==2022-06-16 13:44:52,223 INFO [org.springframework.boot.web.embedded.tomcat.TomcatWebServer] - <Tomcat started on port(s): 8888 (https) with context path '/casconfigserver'>
<==2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <building REST credential factory from [[org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]]>
2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <Configuring credential factory: [org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]>
2022-06-16 13:44:53,013 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'restAuthenticationService' defined in class path resource [org/apereo/cas/rest/config/CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration.class]: Unsatisfied dependency expressed through method 'restAuthenticationService' parameter 1; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")}>'
Can anyone tell me what I'm missing here?
cas-mangement 5.3.1 start failed 2022-06-17 09:19:57,016 ERROR [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <
APPLICATION FAILED TO START
Description:
Field personDirectoryPrincipalResolver in org.apereo.cas.adaptors.jdbc.config.CasJdbcAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' that could not be found.
Action:
Consider defining a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' in your configuration.
>
Hello,
I would like to define the expiration of trusted devices but I can't manage to find the settings to do so.
There used to be cas.authn.mfa.trusted.expiration
but it looks like it has been removed in apereo/cas@a4c49ab
However, I don't understand by which settings the above has been replaced. Can anyone help me please ?
Hello,
I've got problem with OAuth2 login, when i set in service:
"jwtAccessToken": true
Here's an error:
[1;31m2022-06-27 09:27:09,369 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Invalid or unauthorized grant>[m
java.lang.ClassCastException: Cannot cast org.apereo.cas.support.oauth.services.OAuthRegisteredService to org.apereo.cas.services.OidcRegisteredService
at java.lang.Class.cast(Unknown Source) ~[?:?]
at org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor.getSigningKey(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:67) ~[cas-server-support-oidc-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor.supports(RegisteredServiceJwtTicketCipherExecutor.java:58) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.token.JwtBuilder.build(JwtBuilder.java:154) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder.encode(OAuth20JwtAccessTokenEncoder.java:55) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.encodeAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:134) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.lambda$getAccessTokenResponseModel$2(OAuth20DefaultAccessTokenResponseGenerator.java:116) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at java.util.Optional.ifPresent(Unknown Source) ~[?:?]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.getAccessTokenResponseModel(OAuth20DefaultAccessTokenResponseGenerator.java:115) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generateResponseForAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:102) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generate(OAuth20DefaultAccessTokenResponseGenerator.java:59) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
We have been using CAS for our applications' authentication with the regular "CAS Web flow".
One of our newer flows is doing a LoginWithoutTicket instead of credentials. So, in this flow
Can someone please let me know if there is a way to do this? Any suggestions on how to achieve this would be much appreciated.
management.yml
file. Previous version works, but after upgrade the defaults are used. Somebody here which found this issue and knows a solution how to configure CAS authentication for management app?
Hello,
Excuse-me, I have a tiny question regarding MFA providers : why all of them have their order
value defined as the rank
provided in properties ? (e.g. https://github.com/apereo/cas/blob/6e29bc0001e3c304375efc5f8cbb04918d8f8691/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/DuoSecurityMultifactorAuthenticationProviderFactory.java#L58)
order
and rank
are two different properties : https://github.com/apereo/cas/blob/73f816c9e887cd1c51e3ae12483fac407b3465e2/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/mfa/BaseMultifactorAuthenticationProviderProperties.java#L28-L53
Anyone using Spring Boot with CAS and able to get Single Sign Out to work? Our CAS is version 6.5, and I'm using spring-security-cas version 5.7.2.
I've been working on a Spring Boot app that uses CAS for SSO for days now. Single sign on works great! And I have a logout button within the app that works as well. The problem I'm running in to is Single Logout (SLO) does not work. Meaning when I log out of another application, SLO works everywhere except for this app. When I log out of this app, though, I am logged out of everything else. So it seems like this app here isn't listening for when an SSO session is ended.
Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?
@mmoayyed I had the same problem.