by

## Where communities thrive

• Join over 1.5M+ people
• Join over 100K+ communities
• Free without limits
##### Activity
• 02:47
leeyc0 commented #4872
• 02:30
codecov[bot] commented #4872
• 02:28
codecov[bot] commented #4872
• 02:27
codecov[bot] commented #4872
• 02:09
• 02:09
leeyc0 commented #4872
• 01:51
leeyc0 commented #4872
• 01:50
leeyc0 synchronize #4872
• 01:36
leeyc0 commented #4872
• 00:05
codecov[bot] commented #4872
• 00:04
codecov[bot] commented #4872
• Jun 02 23:50
Khorsan commented #4778
• Jun 02 23:14
leeyc0 synchronize #4872
• Jun 02 22:51
• Jun 02 15:46
Khorsan commented #4778
• Jun 02 15:30
mmoayyed milestoned #4872
• Jun 02 15:30
mmoayyed demilestoned #4872
• Jun 02 15:30
leeyc0 commented #4872
• Jun 02 15:23
leeyc0 commented #4870
• Jun 02 15:20
apereocas-bot labeled #4872
Mikel
@mikelasla
@infinity202 thanks again for your response, my use case has Active Directory as the user directory, I think jdbc is not an option for me
Cardo Kambla
@CardoKambla
Good evening! Has anybody implemented OAuth20/OIDC protocol in their CAS? I have implemented it and have wondered if there is some way possible to find the relation of the user (username) and token with the given information from the database. I know OIDC gives a id_token in a JWT form, where the username is but I would like to be separately.
Cardo Kambla
@CardoKambla
The reason behind it is that I have an application that uses currently Spring Security Authorization and Resource Server. I want to implement the Apereo CAS Authorization Server to work with Spring Security Resource Server. They(Auth and Resource server) would use the same database for selecting/updating/inserting oauth_tokens. The default Spring Security JdbcTokenStore uses two tables for tokens, while Apereo CAS OAuth2.0 uses only one. If I were to get the username somehow from the table, I would be able to write my own custom JdbcTokenStore for the Resource Server.
namedHK
@namedHK
hi,everybody,did github has some example about how to develop cas by "cas gradle overlay templates"
Cardo Kambla
@CardoKambla
Discard my question. I was approaching the issue in a wrong way. I should have used /introspect request from the resource server to validate my access token. Also the library I was using is deprecated, so I am upgrading from it now.
Also I noticed with OIDC protocol, when I do the /introspect request. The expiration value of the token is not correct. The documentation states "Integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token will expire,
as defined in JWT" for the expiration time of the token. CAS has a default value of 28800 which does not correspond to that field correctly. It should start from 1576762337.
Cardo Kambla
@CardoKambla
the /introspect issuedAt and expiredAt response values need to be checked, when you leave the default values on, then spring security 5.2 resource server will throw the error "java.lang.IllegalArgumentException: expiresAt must be after issuedAt"
even though /introspect says the token is active, Spring Security 5.2 resource server sees a error when constructing the token object in java. It checks if issuedAt/expiredAt is null or not and when they are not null, it will check if expiredAt value is after issuedAt
Scott Williams
@vwbusguy
We're working on upgrading from 5.3 to 6.1 and seem to have hit the snag here (https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/trusted$20device%7Csort:date/cas-user/1tQbjF8NEtI/dff9nxqOAgAJ), where trusted devices no longer work for MFA. We're using mfa-gauth with mongodb for trusted devices. Is there any potential workaround? I'm afraid we might have to delay our deployment over it. Mikel @mikelasla @mmoayyed Struggling trying to find a interruption point on source code in order to investigate. I tried the most obvious ones, like InitPasswordResetAction doExecute method but seems like the problem is way outside pm code. Can you point me to a good point to start debuging the webflow here? Misagh Moayyed @mmoayyed @mikelasla If you don't mind, you could please summarize the problem for me? there have been too many posts and I have sort of lost track of the history here. What are you trying to do, and what's is causing a problem? millecentdix @millecentdix Hi, I'm running a CAS 5.3.14 on Tomcat behind Apache and I want to change my Apache configuration to do proxyHttp and not ProxyAJP beacuse I have timeout on AJP connection. I followed the blog post https://apereo.github.io/2018/01/05/cas-deployment-with-proxy/ but I still have the insecure notice millecentdix @millecentdix @millecentdix Ok I solved my problem by add secure="true" on the Tomcat connector Axhay @Axhay what is the latest updated stable cas version ? when is the new updated version going to come up? jiangyanfeng @jiangyanfeng ERROR [org.apereo.cas.web.flow.resolver.impl.mfa.GlobalMultifactorAuthenticationPolicyEventResolver] [resolveInternal:GlobalMultifactorAuthenticationPolicyEventResolver.java:72] - <No multifactor authentication providers are available in the application context to handle [mfa-radius]> help! Gary Windham @windhamg Hi all, I'm testing CAS 6.1.2 in an external Jetty (9.4.24) container, and I've been running into an issue where CAS logs an error message like the following: User limit of inotify instances reached or too many open files Prior to a huge stack trace and the application shutting down. I originally saw this issue when running the embedded Jetty container, then switched over to an external container to see if that would make any difference (it did not). I am running Jetty in a Docker container, and have increased the following sysctl parameters on the Docker host: # sysctl -p fs.inotify.max_user_watches = 560144 fs.inotify.max_user_instances = 512 I also have increased nofiles substantially, but that doesn't seem to have helped either. Any ideas on where to begin looking to resolve this issue? I see CAS constantly logging messages like this: 2019-12-21 03:41:46,082 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory at [/etc/cas/config]>, which I assume to be related to the inotify issues. Thanks! Mikel @mikelasla Hi @mmoayyed, let me put some context I'm trying to make Password Management work on 6.0.3 version against Active Directory. I also have another environment with OpenLDAP for testing. In both cases, auth works just fine, but PM doesn't. Current behaviour is that PM correctly finds the user in the user directory and sends the token by mail. https://myserver.my.domain/cas/login?pswdrst=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aWRIbHdJam9pU2xkVUluMC4udzVOVk15NU9EeWsxS3JKSDZDYUREQS5neFMtbHROUVJxQ01MZEh5dFFyTWZrNEhpczB6Z29OZGd6eTdQeE5UeEYzVUoteTZPRm85VnpFQTdXV1RXR0ZRVURwbU0xRHZMQ1VPanRXTjlyMTFWYXZCVWwtSHlOdUY3RWFTVU93Y2tXTlRfVFlmbEdBQlJZTEpGUFBER0cyTXNIOXlUTlJ0MWoyNFYybUJpMnNibks1dnk2LW84eXRIR1FrRHZETkdOVEUyeXlsYnA4VmJaaTR4Skh6eGhKU00wd29SeWNGTERGNUhQN0pycVZ4RTVBLlUwek9pRWtGYkVXeXliVHFwYkhNUWc=.5Pswn-eqEwnDbGAqAVdbaCQRjsCKs1mWQcbWfGLJDLfExEnkcAeWicKwEx0PJk94FMQzjoYFLqv4e0Zguw_Mxg But when I load the received URL, pswdrst urlParam seems to be ignored at all, regular login form gets loaded and no errors are shown in the logs, just this https://pastebin.com/iTBaNTNA This is the config for the OpenLDAP environment (replacing sensible values) cas.server.name=https://myserver.my.domain cas.server.prefix=${cas.server.name}/cas
server.port=443
server.ssl.enabled=true
cas.serviceRegistry.initFromJson=false
cas.serviceRegistry.json.location=file:/etc/cas/services
logging.config: file:/etc/cas/config/log4j2.xml
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://myopenldapserver.my.domain:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=People,dc=my,dc=domain
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.pm.enabled=true
cas.authn.pm.policyPattern =^(?=.*[a-z])[A-Za-z\\d]{4,}
cas.authn.pm.ldap.type=GENERIC
cas.authn.pm.ldap.ldapUrl=ldap://myopenldapserver.my.domain:389
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.baseDn=ou=People,dc=my,dc=domain
cas.authn.pm.ldap.searchFilter=(uid={user})
cas.authn.pm.ldap.bindDn=uid=somuser,ou=People,dc=my,dc=domain
cas.authn.pm.reset.mail.from=cas@my.domain
cas.authn.pm.reset.mail.attributeName=mail
cas.authn.pm.reset.mail.text=%s
cas.authn.pm.reset.securityQuestionsEnabled=false
cas.authn.pm.reset.expirationMinutes=10
spring.mail.host=smtp.my.domain
spring.mail.port=25
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=false
Mikel
@mikelasla

@mmoayyed I also noticed this logs lines, so i pasted those propierties too

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg] of size [256] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.encryption.key].>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw] of size [512] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.signing.key].>

like that

cas.authn.pm.reset.crypto.signing.key=lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw
cas.authn.pm.reset.crypto.encryption.key=G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg
Cemal
@cmlonder
Alberto Perillo
@perillo3ro
Greetings
How can I add services to my CAS server?
I don't understood the docs
Alberto Perillo
@perillo3ro
I have a JSON file (that comes with CAS by default) that admit all https and imaps services to login with CAS, but when I try to login in CAS from an external service it returns "Application not allowed"
infinity202
@infinity202
You need to specify a service in a specific JSON file. The service is "just" the name of the service or corresponding url of the systems that is allowed to talk to the CAS server.
TonCherAmi
@TonCherAmi
Hi, I have a question regarding 6.* UI customization. In this post there's a mention of live-reload functionality being supported in 5.* via the build.sh script inside the overlay. As I understand that script is not a thing anymore having been replaced with gradle tasks. So my question is whether live-reload functionality is still present in 6.* and how I would go about getting it to work.
Cardo Kambla
@CardoKambla
I mentioned some time ago, that there is a problem with OAuth/OIDC /introspect request. When I get an access token from CAS and try to access some protected resource on my back-end, the /introspect request returns Unix Timestamp in seconds for issuedAt (iat) field (which is the expected behaviour) and expiresAt (exp) field has the configured value for accessTokens maxTimeToLiveInSeconds (default value 28800, which is not the expected behaviour, should also be unix timestamp). When Spring Security 5 tries to introspect the token, it sees that the expiredAt time is before the issued time and will throw a "IllegalArgumentException: expiresAt must be after issuedAt". When I checked the OAuth 2.0 token introspection standard, then it is stated that "exp" has to be of value "Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire". TL:DR; OAuth/OIDC /introspect requests response value for expiresAt (exp) should be issuedAt + maxTimeToLiveInSeconds unix timestamp, currently it is just the maxTimeToLiveInSeconds value from CAS configuration.
This problem exists in version 6.2.0-SNAPSHOT and the resource server I am using for my back-end is Spring Security 5 OAuth2ResourceServer for introspection.
Cardo Kambla
@CardoKambla
I am gonna make a pull request on this but I still have not been able to test it yet, so it is gonna take some time for me until I get the pull request up.
Łukasz
@lgwozniak
I need to get to the site 'forgot password' directly, not from the login page. Is there any change to do that ?
chance*
pvemi
@vphanibhushanreddy
Has anyone ran in to this ? Am on CAS v 6.1.2 and Java 11
Caused by: org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm'
Cardo Kambla
@CardoKambla
OIDC /revoke requests seems to get "javax.persistence.TransactionRequiredException: Executing an update/delete query" when it tries to delete a ticket. There is a transactional annotation present in that class. Update requests seem to be working because the tickets are added to the database.
JackieTang
@tanghaojie
audit config?
any audit database config example?
Cardo Kambla
@CardoKambla
I am using JPA ticket registry and a Postgres database, DDL is set to update.
Cardo Kambla
@CardoKambla
Stacktrace
2020-01-02 13:55:13,622 ERROR [org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController] - <Executing an update/delete query>
javax.persistence.TransactionRequiredException: Executing an update/delete query
at org.hibernate.internal.AbstractSharedSessionContract.checkTransactionNeededForUpdateOperation(AbstractSharedSessionContract.java:409) ~[hibernate-core-5.4.10.Final.jar!/:5.4.10.Final]
at org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1601) ~[hibernate-core-5.4.10.Final.jar!/:5.4.10.Final]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.orm.jpa.SharedEntityManagerCreator$DeferredQueryInvocationHandler.invoke(SharedEntityManagerCreator.java:409) ~[spring-orm-5.2.2.RELEASE.jar!/:5.2.2.RELEASE] at com.sun.proxy.$Proxy307.executeUpdate(Unknown Source) ~[?:?]
at org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:209) ~[cas-server-support-jpa-ticket-registry-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT]
at org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:120) ~[cas-server-core-tickets-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT]
at org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:103) ~[cas-server-core-tickets-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT]
at org.apereo.cas.ticket.registry.AbstractTicketRegistry$FastClassBySpringCGLIB$d3c67a11.invoke(<generated>) ~[cas-server-core-tickets-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.2.RELEASE.jar!/:5.2.2.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:685) ~[spring-aop-5.2.2.RELEASE.jar!/:5.2.2.RELEASE] at org.apereo.cas.ticket.registry.JpaTicketRegistry$EnhancerBySpringCGLIB$e04acf1c.deleteTicket(<generated>) ~[cas-server-support-jpa-ticket-registry-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.2.2.RELEASE.jar!/:5.2.2.RELEASE] at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.2.RELEASE.jar!/:5.2.2.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.2.2.RELEASE.jar!/:5.2.2.RELEASE]
at com.sun.proxy.$Proxy163.deleteTicket(Unknown Source) ~[?:?] at org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController.handleRequestInternal(OidcRevocationEndpointController.java:68) ~[cas-server-support-oidc-core-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT] Alberto Perillo @perillo3ro @infinity202 thanks for the docs. but I have CAS 6.1 (not 5.1) and it sems that it isn't work in the same way And I don't understand this "Support is enabled by adding the following module into the Maven overlay:" In which file I have to add that? Cardo Kambla @CardoKambla maven configuration goes into pom.xml file CAS uses gradle afaik, you should be able to add the same dependency in gradle also Cardo Kambla @CardoKambla @perillo3ro if you want to add a service from JSON (with overlay method): 0.1 Add dependency to gradle file under dependencies -> implementation "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
0.2 Clean build CAS
1. Create a json file
2. Add data to that json file (from documentation)
3. Add/replace that json file to your /etc/cas/services folder ( gradlew copyCasConfiguration does not copy it )
4. In your cas.properties file check that cas.serviceRegistry.json.location is pointing toward that folder where the json is ( in my case file:/etc/cas/services)
5. Also in cas.properties put cas.serviceRegistry.initFromJson=true .
7. run CAS
Alberto Perillo
@perillo3ro
Thanks, i'll try this
pvemi
@vphanibhushanreddy
@tanghaojie cas.ticket.registry.jpa.user=portaldb_user