is there a way to create ticket for http://localhost:8082/obsb-ui/j_spring_cas_security_check but be valid for http://localhost:8082/obsb-ui/ ?
@mmoayyed , have you got any news about PM feature? Is there any 6.x version with this functionallity resolved? thanks in advance
After this commit: apereo/cas@58345b0 password management is not working, any method annotated with @Async and calling to "ClientInfoHolder.getClientInfo()" throws NPE because ClientInfoHolder use ThreadLocal.
@mmoayyed Please check this commit, there are problems with PM and Audit.
I'm trying to get CAS 6.1.2 working with external IdP (Azure AD) via SAML. I have a client app that uses CAS. The client is setup to use CAS as a JWT client. On authn, user is simply redirected to CAS login page. From the CAS login, they have the option to log in using a Microsoft account. When the user first logs in, the RelayState given to Microsoft in the authn flow is the ACS url. When CAS gets the SAML response back, it fails because it is redirect to the ACS url which then presents a "app not authorized" error. However, on every subsequent logins, the authn flow works correctly. When it works the RelayState contains a TST token instead of the ACS url. I'm not sure why this behavior is happening. I posted a more detailed explanation here: https://groups.google.com/a/apereo.org/d/msg/cas-user/BNSXLQEyHT4/lFku9tc_AQAJ
@mwolfley The app service file contains:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://example.com:8081/app\\?client_name=CasClient",
"name": "My App",
"id": 8081,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": false,
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "Microsoft Account" ] ]
}
}
}
I remember seeing this in CAS 5.2.x, when the response from the delegated IdP returned it was almost as if CAS was attempting to begin a different session from the one initially requested and would have malformed (for service authorization) urls. Your behavior seems correct as far as what the relayState shows at different attempts without trying a new browser session. My solution was goint to CAS 5.3.8 - so not a very good one.
@doodleincode Do you have logging for pac4j
Sorry, enter key got in the way lol, do you have logging for pac4j from the very beginning including the initial request from your app (that wont be pac4j since it's CAS protocol but would be good) all the way to failure?
@mwolfley Sorry for the late response on posting the logs. Some of the things have been sanitized, but this is the full log from initial request from the app. From the beginning of the log to about line 328 is where the redirection fails. From about line 329 and onwards is the retry and successful redirection and ultimately authn to the app.
Hi all, should I register CAS itself as a service to successfully use REST Protocol? I use different context path than "cas" which makes my audience -> localhost:8080/someContext instead of localhost:8080/cas. Anyway If I don't register a regex service in json that matches with my /someContext and than I request http://localhost:8080/someContext/v1/tickets?....service=http://anyMatchingService I got exception Unauthorized Service Access. Service http://localhost:8080/someContex is not found in service registry. . Here is the CAS code that follows my exception -> (payload.getRegisteredService returns null, code tries to get registeredService for /someContext which not exist)
val registeredService = payload.getRegisteredService() == null
? locateRegisteredService(serviceAudience)
: payload.getRegisteredService();
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
Hello, we are studying passwordless authentication method which could be quite usefull for unknow users. I can't fin any documentation about using informations (mail, name, etc) returned by the accountstore (rest in our case) as attributes, usefull for the client service. Is it possible ?
Hi all, we are currently using CAS 5.3.14 and facing the issue that our implementation of
org.apereo.services.persondir.IPersonAttributeDao is called on every creation of a ProxyGrantingTicket. For me it looks like org.apereo.cas.audit.AuditableExecution.execute(AuditableContext) leads to org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository.retrievePersonAttributesToPrincipalAttributes(String) which is called for any service url. Is this the intended behavior?
@mmoayyed tested 6.1.2 with same results, CAS sends the token to the user, but the token fails to load a form, instead loads the login form again
this is my relevant config (anonymizing some fields tougth)
cas.authn.pm.enabled=true
cas.authn.pm.ldap.type=AD
cas.authn.pm.ldap.usernameAttribute=userPrincipalName
cas.authn.pm.ldap.searchFilterUsername=(userPrincipalName={user})
cas.authn.pm.ldap.ldapUrl=ldap://...:389
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.baseDn=OU=produccion,DC=...,DC=...
cas.authn.pm.ldap.searchFilter=(userPrincipalName={user})
cas.authn.pm.ldap.bindDn=...
cas.authn.pm.ldap.bindCredential=.....
cas.authn.pm.reset.mail.from=autenticacion.noreply@...
cas.authn.pm.reset.mail.attributeName=userPrincipalName
cas.authn.pm.reset.mail.text=Para recuperar su contrase\u00F1a siga las instrucciones de este enlace: %s
cas.authn.pm.reset.mail.subject=Solicitud de cambio de contraseña
cas.authn.pm.reset.mail.from=....
cas.authn.pm.reset.mail.attributeName=email
cas.authn.pm.reset.mail.text=Reset your password with this link: %s
cas.authn.pm.reset.mail.subject=Password Reset Request
cas.authn.pm.reset.expirationMinutes=10
spring.mail.host=....
spring.mail.port=25
spring.mail.username=....
spring.mail.password=....
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=falseThe most annoying thing is that nothing appears on the log, I've got trace level enabled
Hi folks, I'm working on a CAS 6.1.2 instance and am using the embedded Jetty container. Does anyone know if there are
cas.properties configuration parameters for Jetty, similar to the ones for the embedded Tomcat container detailed at https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#embedded-apache-tomcat-container ?
Hi @mikelasla , i am new too ;-) I tried the password management too with 6.2 and i noticed too that the webpages of the CAS server don't appear to handle the things correctly. But i noticed that requesting a new password via email does seem to work.
But maybe i didn't read or understand you question correctly....
But maybe i didn't read or understand you question correctly....
after that i ran into new errors/ problems. The "set new password" method doesn't work. It only works if you reset the password by sending an email to the user.
I follow this guide: https://apereo.github.io/2019/10/25/cas61x-password-management-jdbc/
my remarks:
- "# Password Reset Email Info" and "# Forgot Username Email Info" have their option values mixed up. If you want have forgotten your username the system should lookup your email address. If you want to reset your password you need to give your name in stead of email address IMHO
- expired login method fails to update the database table Users. It does store the old password in the history table.
- text above the input fields isn't quite clear on what to do.
This is what i found out at 23 november.
Good evening! Has anybody implemented OAuth20/OIDC protocol in their CAS? I have implemented it and have wondered if there is some way possible to find the relation of the user (username) and token with the given information from the database. I know OIDC gives a id_token in a JWT form, where the username is but I would like to be separately.
The reason behind it is that I have an application that uses currently Spring Security Authorization and Resource Server. I want to implement the Apereo CAS Authorization Server to work with Spring Security Resource Server. They(Auth and Resource server) would use the same database for selecting/updating/inserting oauth_tokens. The default Spring Security JdbcTokenStore uses two tables for tokens, while Apereo CAS OAuth2.0 uses only one. If I were to get the username somehow from the table, I would be able to write my own custom JdbcTokenStore for the Resource Server.
Also I noticed with OIDC protocol, when I do the /introspect request. The expiration value of the token is not correct. The documentation states "Integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token will expire,
as defined in JWT" for the expiration time of the token. CAS has a default value of 28800 which does not correspond to that field correctly. It should start from 1576762337.
since January 1 1970 UTC, indicating when this token will expire,
as defined in JWT" for the expiration time of the token. CAS has a default value of 28800 which does not correspond to that field correctly. It should start from 1576762337.
even though /introspect says the token is active, Spring Security 5.2 resource server sees a error when constructing the token object in java. It checks if issuedAt/expiredAt is null or not and when they are not null, it will check if expiredAt value is after issuedAt
We're working on upgrading from 5.3 to 6.1 and seem to have hit the snag here (https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/trusted$20device%7Csort:date/cas-user/1tQbjF8NEtI/dff9nxqOAgAJ), where trusted devices no longer work for MFA. We're using mfa-gauth with mongodb for trusted devices. Is there any potential workaround? I'm afraid we might have to delay our deployment over it.
@mmoayyed Struggling trying to find a interruption point on source code in order to investigate. I tried the most obvious ones, like InitPasswordResetAction doExecute method but seems like the problem is way outside pm code. Can you point me to a good point to start debuging the webflow here?
Hi, I'm running a CAS 5.3.14 on Tomcat behind Apache and I want to change my Apache configuration to do proxyHttp and not ProxyAJP beacuse I have timeout on AJP connection. I followed the blog post https://apereo.github.io/2018/01/05/cas-deployment-with-proxy/ but I still have the insecure notice
when is the new updated version going to come up?
ERROR [org.apereo.cas.web.flow.resolver.impl.mfa.GlobalMultifactorAuthenticationPolicyEventResolver] [resolveInternal:GlobalMultifactorAuthenticationPolicyEventResolver.java:72] - <No multifactor authentication providers are available in the application context to handle [mfa-radius]>
help!
Hi all,
I'm testing CAS 6.1.2 in an external Jetty (9.4.24) container, and I've been running into an issue where CAS logs an error message like the following:
User limit of inotify instances reached or too many open files
Prior to a huge stack trace and the application shutting down.
I originally saw this issue when running the embedded Jetty container, then switched over to an external container to see if that would make any difference (it did not). I am running Jetty in a Docker container, and have increased the following sysctl parameters on the Docker host:
# sysctl -p
fs.inotify.max_user_watches = 560144
fs.inotify.max_user_instances = 512I also have increased nofiles substantially, but that doesn't seem to have helped either.
Any ideas on where to begin looking to resolve this issue? I see CAS constantly logging messages like this: 2019-12-21 03:41:46,082 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory at [/etc/cas/config]>, which I assume to be related to the inotify issues.
Thanks!
Hi @mmoayyed, let me put some context
I'm trying to make Password Management work on 6.0.3 version against Active Directory. I also have another environment with OpenLDAP for testing. In both cases, auth works just fine, but PM doesn't.
Current behaviour is that PM correctly finds the user in the user directory and sends the token by mail.
https://myserver.my.domain/cas/login?pswdrst=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aWRIbHdJam9pU2xkVUluMC4udzVOVk15NU9EeWsxS3JKSDZDYUREQS5neFMtbHROUVJxQ01MZEh5dFFyTWZrNEhpczB6Z29OZGd6eTdQeE5UeEYzVUoteTZPRm85VnpFQTdXV1RXR0ZRVURwbU0xRHZMQ1VPanRXTjlyMTFWYXZCVWwtSHlOdUY3RWFTVU93Y2tXTlRfVFlmbEdBQlJZTEpGUFBER0cyTXNIOXlUTlJ0MWoyNFYybUJpMnNibks1dnk2LW84eXRIR1FrRHZETkdOVEUyeXlsYnA4VmJaaTR4Skh6eGhKU00wd29SeWNGTERGNUhQN0pycVZ4RTVBLlUwek9pRWtGYkVXeXliVHFwYkhNUWc=.5Pswn-eqEwnDbGAqAVdbaCQRjsCKs1mWQcbWfGLJDLfExEnkcAeWicKwEx0PJk94FMQzjoYFLqv4e0Zguw_MxgBut when I load the received URL, pswdrst urlParam seems to be ignored at all, regular login form gets loaded and no errors are shown in the logs, just this
This is the config for the OpenLDAP environment (replacing sensible values)
cas.server.name=https://myserver.my.domain
cas.server.prefix=${cas.server.name}/cas
server.port=443
server.ssl.enabled=true
cas.serviceRegistry.initFromJson=false
cas.serviceRegistry.json.location=file:/etc/cas/services
logging.config: file:/etc/cas/config/log4j2.xml
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://myopenldapserver.my.domain:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=People,dc=my,dc=domain
cas.authn.ldap[0].searchFilter=uid={user}
# https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#email-notifications
cas.authn.pm.enabled=true
cas.authn.pm.autoLogin =true
cas.authn.pm.policyPattern =^(?=.*[a-z])[A-Za-z\\d]{4,}
cas.authn.pm.ldap.type=GENERIC
cas.authn.pm.ldap.usernameAttribute=uid
cas.authn.pm.ldap.ldapUrl=ldap://myopenldapserver.my.domain:389
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.baseDn=ou=People,dc=my,dc=domain
cas.authn.pm.ldap.searchFilter=(uid={user})
cas.authn.pm.ldap.bindDn=uid=somuser,ou=People,dc=my,dc=domain
cas.authn.pm.ldap.bindCredential=mypassword
cas.authn.pm.reset.mail.from=cas@my.domain
cas.authn.pm.reset.mail.attributeName=mail
cas.authn.pm.reset.mail.text=%s
cas.authn.pm.reset.mail.subject=Reset your password
cas.authn.pm.reset.securityQuestionsEnabled=false
cas.authn.pm.reset.expirationMinutes=10
cas.authn.pm.autoLogin=false
spring.mail.host=smtp.my.domain
spring.mail.port=25
spring.mail.username=cas@my.domain
spring.mail.password=caspassword
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=false@mmoayyed I also noticed this logs lines, so i pasted those propierties too
WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg] of size [256] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.encryption.key].>
WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw] of size [512] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.signing.key].>like that
cas.authn.pm.reset.crypto.signing.key=lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw
cas.authn.pm.reset.crypto.encryption.key=G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg