## Where communities thrive

• Join over 1.5M+ people
• Join over 100K+ communities
• Free without limits
##### Activity
• Jul 23 13:17
linosgian commented #5201
• Jul 23 13:10
linosgian synchronize #5201
• Jul 23 10:55
linosgian commented #5201
• Jul 23 10:53
apereocas-bot labeled #5205
• Jul 23 10:53
apereocas-bot labeled #5205
• Jul 23 10:53
apereocas-bot labeled #5205
• Jul 23 10:53
apereocas-bot milestoned #5205
• Jul 23 10:53
apereocas-bot labeled #5205
• Jul 23 10:52
linosgian opened #5205
• Jul 22 17:05
mmoayyed commented #5204
• Jul 22 16:59
mmoayyed closed #5204
• Jul 22 16:59
mmoayyed commented #5204
• Jul 22 16:18
apereocas-bot labeled #5204
• Jul 22 16:18
apereocas-bot labeled #5204
• Jul 22 16:18
apereocas-bot labeled #5204
• Jul 22 16:18
apereocas-bot labeled #5204
• Jul 22 16:18
apereocas-bot milestoned #5204
• Jul 22 16:17
yangchiaying opened #5204
• Jul 22 09:53

mmoayyed on gh-pages

Published docs [gh-pages]. (compare)

• Jul 22 08:52

mmoayyed on 6.3.x

oauth/oidc: token expiration po… (compare)

millecentdix
@millecentdix
@millecentdix Ok I solved my problem by add secure="true" on the Tomcat connector
Axhay
@Axhay
what is the latest updated stable cas version ?
when is the new updated version going to come up?
jiangyanfeng
@jiangyanfeng
ERROR [org.apereo.cas.web.flow.resolver.impl.mfa.GlobalMultifactorAuthenticationPolicyEventResolver] [resolveInternal:GlobalMultifactorAuthenticationPolicyEventResolver.java:72] - <No multifactor authentication providers are available in the application context to handle [mfa-radius]>
help!
Gary Windham
@windhamg

Hi all,

I'm testing CAS 6.1.2 in an external Jetty (9.4.24) container, and I've been running into an issue where CAS logs an error message like the following:

User limit of inotify instances reached or too many open files

Prior to a huge stack trace and the application shutting down.

I originally saw this issue when running the embedded Jetty container, then switched over to an external container to see if that would make any difference (it did not). I am running Jetty in a Docker container, and have increased the following sysctl parameters on the Docker host:

# sysctl -p
fs.inotify.max_user_watches = 560144
fs.inotify.max_user_instances = 512

I also have increased nofiles substantially, but that doesn't seem to have helped either.

Any ideas on where to begin looking to resolve this issue? I see CAS constantly logging messages like this: 2019-12-21 03:41:46,082 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory at [/etc/cas/config]>, which I assume to be related to the inotify issues.

Thanks!

Mikel
@mikelasla

Hi @mmoayyed, let me put some context

I'm trying to make Password Management work on 6.0.3 version against Active Directory. I also have another environment with OpenLDAP for testing. In both cases, auth works just fine, but PM doesn't.

Current behaviour is that PM correctly finds the user in the user directory and sends the token by mail.

https://myserver.my.domain/cas/login?pswdrst=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aWRIbHdJam9pU2xkVUluMC4udzVOVk15NU9EeWsxS3JKSDZDYUREQS5neFMtbHROUVJxQ01MZEh5dFFyTWZrNEhpczB6Z29OZGd6eTdQeE5UeEYzVUoteTZPRm85VnpFQTdXV1RXR0ZRVURwbU0xRHZMQ1VPanRXTjlyMTFWYXZCVWwtSHlOdUY3RWFTVU93Y2tXTlRfVFlmbEdBQlJZTEpGUFBER0cyTXNIOXlUTlJ0MWoyNFYybUJpMnNibks1dnk2LW84eXRIR1FrRHZETkdOVEUyeXlsYnA4VmJaaTR4Skh6eGhKU00wd29SeWNGTERGNUhQN0pycVZ4RTVBLlUwek9pRWtGYkVXeXliVHFwYkhNUWc=.5Pswn-eqEwnDbGAqAVdbaCQRjsCKs1mWQcbWfGLJDLfExEnkcAeWicKwEx0PJk94FMQzjoYFLqv4e0Zguw_Mxg

But when I load the received URL, pswdrst urlParam seems to be ignored at all, regular login form gets loaded and no errors are shown in the logs, just this

https://pastebin.com/iTBaNTNA

This is the config for the OpenLDAP environment (replacing sensible values)

cas.server.name=https://myserver.my.domain
cas.server.prefix=${cas.server.name}/cas server.port=443 server.ssl.enabled=true cas.serviceRegistry.initFromJson=false cas.serviceRegistry.json.location=file:/etc/cas/services logging.config: file:/etc/cas/config/log4j2.xml cas.authn.accept.users= cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldap://myopenldapserver.my.domain:389 cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].baseDn=ou=People,dc=my,dc=domain cas.authn.ldap[0].searchFilter=uid={user} # https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#email-notifications cas.authn.pm.enabled=true cas.authn.pm.autoLogin =true cas.authn.pm.policyPattern =^(?=.*[a-z])[A-Za-z\\d]{4,} cas.authn.pm.ldap.type=GENERIC cas.authn.pm.ldap.usernameAttribute=uid cas.authn.pm.ldap.ldapUrl=ldap://myopenldapserver.my.domain:389 cas.authn.pm.ldap.useSsl=false cas.authn.pm.ldap.baseDn=ou=People,dc=my,dc=domain cas.authn.pm.ldap.searchFilter=(uid={user}) cas.authn.pm.ldap.bindDn=uid=somuser,ou=People,dc=my,dc=domain cas.authn.pm.ldap.bindCredential=mypassword cas.authn.pm.reset.mail.from=cas@my.domain cas.authn.pm.reset.mail.attributeName=mail cas.authn.pm.reset.mail.text=%s cas.authn.pm.reset.mail.subject=Reset your password cas.authn.pm.reset.securityQuestionsEnabled=false cas.authn.pm.reset.expirationMinutes=10 cas.authn.pm.autoLogin=false spring.mail.host=smtp.my.domain spring.mail.port=25 spring.mail.username=cas@my.domain spring.mail.password=caspassword spring.mail.testConnection=true spring.mail.properties.mail.smtp.auth=true spring.mail.properties.mail.smtp.starttls.enable=false Mikel @mikelasla @mmoayyed I also noticed this logs lines, so i pasted those propierties too WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg] of size [256] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.encryption.key].> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw] of size [512] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.signing.key].> like that cas.authn.pm.reset.crypto.signing.key=lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw cas.authn.pm.reset.crypto.encryption.key=G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg Cemal @cmlonder Alberto Perillo @perillo3ro Greetings How can I add services to my CAS server? I don't understood the docs Alberto Perillo @perillo3ro I have a JSON file (that comes with CAS by default) that admit all https and imaps services to login with CAS, but when I try to login in CAS from an external service it returns "Application not allowed" infinity202 @infinity202 You need to specify a service in a specific JSON file. The service is "just" the name of the service or corresponding url of the systems that is allowed to talk to the CAS server. TonCherAmi @TonCherAmi Hi, I have a question regarding 6.* UI customization. In this post there's a mention of live-reload functionality being supported in 5.* via the build.sh script inside the overlay. As I understand that script is not a thing anymore having been replaced with gradle tasks. So my question is whether live-reload functionality is still present in 6.* and how I would go about getting it to work. Cardo Kambla @CardoKambla I mentioned some time ago, that there is a problem with OAuth/OIDC /introspect request. When I get an access token from CAS and try to access some protected resource on my back-end, the /introspect request returns Unix Timestamp in seconds for issuedAt (iat) field (which is the expected behaviour) and expiresAt (exp) field has the configured value for accessTokens maxTimeToLiveInSeconds (default value 28800, which is not the expected behaviour, should also be unix timestamp). When Spring Security 5 tries to introspect the token, it sees that the expiredAt time is before the issued time and will throw a "IllegalArgumentException: expiresAt must be after issuedAt". When I checked the OAuth 2.0 token introspection standard, then it is stated that "exp" has to be of value "Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire". TL:DR; OAuth/OIDC /introspect requests response value for expiresAt (exp) should be issuedAt + maxTimeToLiveInSeconds unix timestamp, currently it is just the maxTimeToLiveInSeconds value from CAS configuration. This problem exists in version 6.2.0-SNAPSHOT and the resource server I am using for my back-end is Spring Security 5 OAuth2ResourceServer for introspection. Cardo Kambla @CardoKambla I am gonna make a pull request on this but I still have not been able to test it yet, so it is gonna take some time for me until I get the pull request up. Łukasz @lgwozniak I need to get to the site 'forgot password' directly, not from the login page. Is there any change to do that ? chance* pvemi @vphanibhushanreddy Has anyone ran in to this ? Am on CAS v 6.1.2 and Java 11 Caused by: org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm' at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:474) Cardo Kambla @CardoKambla OIDC /revoke requests seems to get "javax.persistence.TransactionRequiredException: Executing an update/delete query" when it tries to delete a ticket. There is a transactional annotation present in that class. Update requests seem to be working because the tickets are added to the database. JackieTang @tanghaojie audit config? any audit database config example? Cardo Kambla @CardoKambla I am using JPA ticket registry and a Postgres database, DDL is set to update. Tables for ticket registry are created from startup and filled/selected when introspecting/asking access tokens. Cardo Kambla @CardoKambla Stacktrace 2020-01-02 13:55:13,622 ERROR [org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController] - <Executing an update/delete query> javax.persistence.TransactionRequiredException: Executing an update/delete query at org.hibernate.internal.AbstractSharedSessionContract.checkTransactionNeededForUpdateOperation(AbstractSharedSessionContract.java:409) ~[hibernate-core-5.4.10.Final.jar!/:5.4.10.Final] at org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1601) ~[hibernate-core-5.4.10.Final.jar!/:5.4.10.Final] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.springframework.orm.jpa.SharedEntityManagerCreator$DeferredQueryInvocationHandler.invoke(SharedEntityManagerCreator.java:409) ~[spring-orm-5.2.2.RELEASE.jar!/:5.2.2.RELEASE]
at com.sun.proxy.$Proxy307.executeUpdate(Unknown Source) ~[?:?] at org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:209) ~[cas-server-support-jpa-ticket-registry-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT] at org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:120) ~[cas-server-core-tickets-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT] at org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:103) ~[cas-server-core-tickets-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT] at org.apereo.cas.ticket.registry.AbstractTicketRegistry$FastClassBySpringCGLIB$d3c67a11.invoke(<generated>) ~[cas-server-core-tickets-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.2.RELEASE.jar!/:5.2.2.RELEASE] at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:685) ~[spring-aop-5.2.2.RELEASE.jar!/:5.2.2.RELEASE]
at org.apereo.cas.ticket.registry.JpaTicketRegistry$EnhancerBySpringCGLIB$e04acf1c.deleteTicket(<generated>) ~[cas-server-support-jpa-ticket-registry-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.2.2.RELEASE.jar!/:5.2.2.RELEASE]
at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.1.RELEASE.jar!/:2.2.1.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.2.RELEASE.jar!/:5.2.2.RELEASE] at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.2.2.RELEASE.jar!/:5.2.2.RELEASE] at com.sun.proxy.$Proxy163.deleteTicket(Unknown Source) ~[?:?]
at org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController.handleRequestInternal(OidcRevocationEndpointController.java:68) ~[cas-server-support-oidc-core-api-6.2.0-SNAPSHOT.jar!/:6.2.0-SNAPSHOT]
Alberto Perillo
@perillo3ro
@infinity202 thanks for the docs. but I have CAS 6.1 (not 5.1) and it sems that it isn't work in the same way
And I don't understand this
"Support is enabled by adding the following module into the Maven overlay:"
In which file I have to add that?
Cardo Kambla
@CardoKambla
maven configuration goes into pom.xml file
Cardo Kambla
@CardoKambla
@perillo3ro if you want to add a service from JSON (with overlay method):
0.1 Add dependency to gradle file under dependencies -> implementation "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}" 0.2 Clean build CAS 1. Create a json file 2. Add data to that json file (from documentation) 3. Add/replace that json file to your /etc/cas/services folder ( gradlew copyCasConfiguration does not copy it ) 4. In your cas.properties file check that cas.serviceRegistry.json.location is pointing toward that folder where the json is ( in my case file:/etc/cas/services) 5. Also in cas.properties put cas.serviceRegistry.initFromJson=true . 6. gradlew copyCasConfiguration 7. run CAS Alberto Perillo @perillo3ro Thanks, i'll try this pvemi @vphanibhushanreddy @tanghaojie cas.ticket.registry.jpa.user=portaldb_user cas.ticket.registry.jpa.password=test123$
cas.ticket.registry.jpa.driverClass=com.microsoft.sqlserver.jdbc.SQLServerDriver
cas.ticket.registry.jpa.url=jdbc:sqlserver://10.10.1.40
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.SQLServer2012Dialect
cas.ticket.registry.jpa.failFastTimeout=1
cas.ticket.registry.jpa.healthQuery=SELECT 1
cas.ticket.registry.jpa.isolateInternalQueries=false
cas.ticket.registry.jpa.leakThreshold=10
cas.ticket.registry.jpa.batchSize=100
cas.ticket.registry.jpa.ddlAuto=update
cas.ticket.registry.jpa.defaultSchema=portaldb
cas.ticket.registry.jpa.ticketLockType=NONE
cas.ticket.registry.jpa.jpaLockingTimeout=3600
Scott Williams
@vwbusguy
Is there any way to limit the users that are evaluated by risk based adaptive triggering? It ended up causing massive Mongo database load when enabled that effectively DOS'd the CAS service (6.1)
Philipp Berger
@philippberger

Hi all, we are currently using CAS 5.3.14 and facing the issue that our implementation of org.apereo.services.persondir.IPersonAttributeDao is called on every creation of a ProxyGrantingTicket. For me it looks like org.apereo.cas.audit.AuditableExecution.execute(AuditableContext) leads to org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository.retrievePersonAttributesToPrincipalAttributes(String) which is called for any service url. Is this the intended behavior?

Any comments on that? We are still facing the issue...

Alberto Perillo
@perillo3ro
@CardoKambla I put that in build.gradle and get this error

FAILURE: Build failed with an exception.

• Where:

• What went wrong:
A problem occurred evaluating root project 'cas-server'.

Could not get unknown property 'cas.version' for root project 'cas-server' of type org.gradle.api.Project.

Mikel
@mikelasla
Misagh Moayyed
@mmoayyed
@mikelasla no, dont think I'd have time any time soon. If you need assistance, please contact me privately and we can work something out.
Cardo Kambla
@CardoKambla
@perillo3ro what OS are you using ?
is there any way to use CAS protocol to authenticate users for back-end microservices? it seems that CAS protocol only authenticates front-end web-clients
Cardo Kambla
@CardoKambla
the spring security post about Spring Boot and CAS usage does not mention it because Spring Boot is used as a monolith
matrixbot
@matrixbot
pratyushtiwari "+{sfs}+"
Alberto Perillo
@perillo3ro
@CardoKambla I put the compile line in the wrong place. Now CAS compiles. but when I make a .war and deploy it, i can't see the .jars in the lib folder. Maybe I making something wrong. but apparently it compiles. Thanks! :)
dev-cr-ka
@dev-cr-ka
Greating. I have found an issue and don't know, if it is a bug or intended.
I added ldap and keycloak via org.apereo.cas:cas-server-support-openid-webflow:${project.'cas.version'} and org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}. That works. But as soon as I add org.apereo.cas:cas-server-support-oauth-webflow:\${project.'cas.version'} to add OAuth communication for my client, this breaks keycloak (and any other pac4j service, like Google OAuth). Anyone ever heard of this?