by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 09:51

    mmoayyed on master

    fix tests (compare)

  • 04:49

    apereocas-bot on gh-pages

    Published docs [gh-pages]. (compare)

  • 04:48

    mmoayyed on master

    clean up yubikey tests and devi… clean up yubikey tests and devi… fix build and 21 more (compare)

  • Aug 02 07:26

    mmoayyed on master

    redirect from /oidc/authorize c… (compare)

  • Aug 02 07:26

    mmoayyed on oidc

    (compare)

  • Aug 02 07:25
    mmoayyed closed #4916
  • Aug 02 04:15
    codecov[bot] commented #4916
  • Aug 02 03:58
    apereocas-bot labeled #4916
  • Aug 02 03:57
    apereocas-bot unlabeled #4916
  • Aug 02 03:57
    apereocas-bot unlabeled #4916
  • Aug 02 03:56
    hdeadman synchronize #4916
  • Aug 02 03:56

    hdeadman on oidc

    update unit tests (compare)

  • Aug 01 06:47
    mmoayyed commented #4916
  • Jul 31 21:48
    hdeadman commented #4916
  • Jul 31 19:05
    codecov[bot] commented #4916
  • Jul 31 19:05
    codecov[bot] commented #4916
  • Jul 31 18:51
    hdeadman synchronize #4916
  • Jul 31 18:51

    hdeadman on oidc

    checkstyle (compare)

  • Jul 31 03:26
    apereocas-bot labeled #4916
  • Jul 31 03:26
    apereocas-bot labeled #4916
pvemi
@vphanibhushanreddy
@tanghaojie cas.ticket.registry.jpa.user=portaldb_user
cas.ticket.registry.jpa.password=test123$
cas.ticket.registry.jpa.driverClass=com.microsoft.sqlserver.jdbc.SQLServerDriver
cas.ticket.registry.jpa.url=jdbc:sqlserver://10.10.1.40
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.SQLServer2012Dialect
cas.ticket.registry.jpa.failFastTimeout=1
cas.ticket.registry.jpa.healthQuery=SELECT 1
cas.ticket.registry.jpa.isolateInternalQueries=false
cas.ticket.registry.jpa.leakThreshold=10
cas.ticket.registry.jpa.batchSize=100
cas.ticket.registry.jpa.ddlAuto=update
cas.ticket.registry.jpa.defaultSchema=portaldb
cas.ticket.registry.jpa.ticketLockType=NONE
cas.ticket.registry.jpa.jpaLockingTimeout=3600
Scott Williams
@vwbusguy
Is there any way to limit the users that are evaluated by risk based adaptive triggering? It ended up causing massive Mongo database load when enabled that effectively DOS'd the CAS service (6.1)
Philipp Berger
@philippberger

Hi all, we are currently using CAS 5.3.14 and facing the issue that our implementation of org.apereo.services.persondir.IPersonAttributeDao is called on every creation of a ProxyGrantingTicket. For me it looks like org.apereo.cas.audit.AuditableExecution.execute(AuditableContext) leads to org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository.retrievePersonAttributesToPrincipalAttributes(String) which is called for any service url. Is this the intended behavior?

Any comments on that? We are still facing the issue...

Alberto Perillo
@perillo3ro
@CardoKambla I put that in build.gradle and get this error

FAILURE: Build failed with an exception.

  • Where:
    Build file '/root/cas-6.1.x/build.gradle' line: 46

  • What went wrong:
    A problem occurred evaluating root project 'cas-server'.

    Could not get unknown property 'cas.version' for root project 'cas-server' of type org.gradle.api.Project.

Mikel
@mikelasla
Hi @mmoayyed. Have you had time to look at the Password Management feature on 6.0 ? (talking about ldap/ad type)
Misagh Moayyed
@mmoayyed
@mikelasla no, dont think I'd have time any time soon. If you need assistance, please contact me privately and we can work something out.
Cardo Kambla
@CardoKambla
@perillo3ro what OS are you using ?
is there any way to use CAS protocol to authenticate users for back-end microservices? it seems that CAS protocol only authenticates front-end web-clients
Cardo Kambla
@CardoKambla
the spring security post about Spring Boot and CAS usage does not mention it because Spring Boot is used as a monolith
matrixbot
@matrixbot
pratyushtiwari "+{sfs}+"
Alberto Perillo
@perillo3ro
@CardoKambla I put the compile line in the wrong place. Now CAS compiles. but when I make a .war and deploy it, i can't see the .jars in the lib folder. Maybe I making something wrong. but apparently it compiles. Thanks! :)
dev-cr-ka
@dev-cr-ka
Greating. I have found an issue and don't know, if it is a bug or intended.
I added ldap and keycloak via org.apereo.cas:cas-server-support-openid-webflow:${project.'cas.version'} and org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}. That works. But as soon as I add org.apereo.cas:cas-server-support-oauth-webflow:${project.'cas.version'} to add OAuth communication for my client, this breaks keycloak (and any other pac4j service, like Google OAuth). Anyone ever heard of this?
Robert Witkowski
@witek1902

Hi! I want to logout user from CAS using REST endpoint. My users log in using OAuth2 so I created method which clear ticket registry:

private boolean ticketMatchesToSsoId(String ssoId, Ticket ticket) {
        Authentication auth = null;

        if (ticket instanceof TicketGrantingTicket) {
            auth = ((TicketGrantingTicket) ticket).getAuthentication();
        } else if (ticket instanceof OAuthToken) {
            auth = ((OAuthToken) ticket).getAuthentication();
        }

        if (auth != null) {
            Map<String, Object> ticketsPrincipalAttributes = auth.getPrincipal().getAttributes();
            return attributesMatch(ticketsPrincipalAttributes, ssoId);
        }
        return false;
    }

But this solution does not work. Maybe I can call internal CAS method which do all things for me?

jeanfpoulin
@jeanfpoulin

Hoping someone can help me figure out how to modify the CAS protocol response for service Validate endpoint example:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>username</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>

I want to change which cas attribute gets used for the username based on the service and add some of the other attributes in the response as well. Any ideas?

Scott Williams
@vwbusguy
Elasticsearch would be an interesting option for tracking CAS Events and would probably offer better performance for risk-based triggering than current options
Cardo Kambla
@CardoKambla
@dev-cr-ka what version of CAS are you using and what stacktrace do you get?
@witek1902 make a request to logout endpoint and it should remove the cookies
@witek1902 if you are using OAuth2 to log in a user, then I recommend you use OpenID Connect protocol which is basically OAuth2 with more user functionality and ability to log out
Cardo Kambla
@CardoKambla
@witek1902 here is the information about CAS acting as a OIDC authorization server https://apereo.github.io/cas/development/installation/OIDC-Authentication.html there are endpoints explained, I recommend you to test them through with Postman
they might be promblematic with database implementation but cache solutions should work nicely
Cardo Kambla
@CardoKambla
@vwbusguy everything comes down to the requirements in the end, elasticsearch at the beginning might seem a little over the edge when cache solutions are all you need at first. As much as I have used CAS, the database solutions still have some problems.
Scott Williams
@vwbusguy
Elasticsearch makes sense for stuff like risk based triggering. If you're going to use mongo for that, you either need to shard the collection or manually prune it and mongo will still be faster than JPA.
dev-cr-ka
@dev-cr-ka

@CardoKambla I am using CAS 6.1.3 I get the exception:
org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@18c4c2b in state 'delegatedAuthenticationAction' of flow 'login' -- action execution attributes were 'map[[empty]]' [...] Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery This is thrown in the OidcExtractor on line 68, because the context.getSessionStore() is empty.

I set logging level debug for pac4j, this is what I get right before the exception:
2020-01-15 08:08:34,801 DEBUG [org.pac4j.oidc.redirect.OidcRedirectionActionBuilder] - <Authentication request url: https://url.com/auth/realms/xyz/protocol/openid-connect/auth?scope=openid+profile+email&response_type=code&redirect_uri=redir_uri&state=TST-1-abc&nonce=myNonce&client_id=client> 2020-01-15 08:08:40,959 DEBUG [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication response successful> 2020-01-15 08:08:40,970 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown executing org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@36a20854 in state 'delegatedAuthenticationAction'... (see above)
The authentication itself works, but on redirect, the session isn't recognized (even though the session cookie in the browser).

When I use cas-server-support-pac4j-webflow without cas-server-support-oauth-webflow it works fine, so it's not a misconfiguration (I guess). In the code above I am using keycloak, but when setting up Google, I get the same behavior.

onsjkm
@onsjkm
Hello I am adding a new @Controller to cas overlay project and inside it I am trying to get Authenticated User attributes. Anyone knows how?
This i my controller:

@Slf4j
@Controller("profileController")
@RequestMapping
public class ProfileController {

@Autowired
private TicketRegistrySupport ticketRegistrySupport;

@GetMapping("/user")
@PreAuthorize("isAuthenticated()")
public String user(Model model, Principal principal) {

    // This is not working
    // model.addAttribute("principal", principal);
    return "shipUserProfile";
}

}

Manel R. Doménech
@manelio
Hello. New Apereo CAS user here. I'm customizing the starter overlay cas-overlay-template. But it's hard having to stop and rebuild the WAR to check the changes. Is there any way to refresh the changes without rebuilding? Thanks!
Robert Witkowski
@witek1902
Hi!
I have a problem with OAuth 2.0 resource owner grant type (username and password). When I pass valid clientId, clientSecret but invalid username or password, CAS return access token, but in my opinion should send "invalid grant error". @mmoayyed is proper solution?
Misagh Moayyed
@mmoayyed
sounds like a problem to me, though I have not looked. What is your cas version?
Robert Witkowski
@witek1902
6.0
Robert Witkowski
@witek1902
If I used returned access token for /oauth2.0/profile, CAS return only clientId, but my clients expect an error sooner
Jiří Málek
@Hologos
Hello, we are implementing Apereo CAS in our company and we have a problem loging using Facebook identity. The problem is that I have to set in the Facebook app "Valid OAuth Redirect URIs" but Apereo CAS generates a state parameter in the URL and Facebook login page reports an error (the URLs don't match exactly). How to overcome this? Thank you
Robert Witkowski
@witek1902
@mmoayyed any news in my topic? ;)
Misagh Moayyed
@mmoayyed
@witek1902 hey there, sorry not yet. my free/volunteer time with the project is really slim these days. I can give you the usual advice which is to examine logs, cross check with the spec, upgrade to the latest patch, etc. I dont know the answer off the top of my head without spending time to research this. If you need individual help, contact me privately plz and we can try to arrange something.
Ibrahima COUNDOUL
@icoundoul
Hi all
I am using the maven overlay template version 5.1.9 , how can I use my REST endpoint for users credentials validation and getting roles to test if user have some roles or not ?
Ibrahima COUNDOUL
@icoundoul
Hi all,
Can some one tell me how to add an class and call my REST Webservice endpointfor please ? I have cas 5.1 from https://github.com/icoundoul/cas-overlay-template
thanks a lot
MJames
@moe-alabel
Does anyone know how to upgrade the spring-core-4.3.4.RELEASE.jar in cas?
esii-ed
@esii-ed
Hi all, using cas-overlay-template version 6.1.3. I tried to generate a war(not executable) to deploy it on a tomcat server. Using gradle war doesn't generate the war. How can I achieved to generate a cas.war not executable? Any help really appreciated, as I'm a beginner with gradle.
mwolfley
@mwolfley
@esii-ed try ./gradlew clean package
hormiai76
@hormiai76
Hi,
I'm trying to configure a cas-overlay docker image. We usew AD in our organization and our poreoduction cas server (v5) works fine. We would like to dockerize it and update to v6.
The cas.properties file is:
cas.authn.ldap[0].type=AD cas.authn.ldap[0].baseDn=dc=example,dc=org cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].searchFilter=(sAMAccountName={user}) cas.authn.ldap[0].dnFormat=%s@example.org cas.authn.ldap[0].principalAttributeId=sAMAccountName cas.authn.ldap[0].principalAttributeList=sAMAccountName,sn,cn
When I try to authenticate the logs contains "INFO [org.ldaptive.auth.Authenticator] - <Authentication failed for dn: myusername@example.org>"
Help me please!
Robert Witkowski
@witek1902
Hi, I updated CAS from 6.0.4 to 6.1.3 version and I have a problem with my overrided login-webflow.xml and logout-webflow.xml
Configuration for new Action are registered Beans, but "standard" webflow is still being used. I checked in .war and the files are overwritten. Where can the problem be?
Ibrahima COUNDOUL
@icoundoul
Hi all,
Can some one tell me how to add an class and call my REST Webservice endpointfor please ? I have cas 5.1 from the overlay cas-overlay-template
pvemi
@vphanibhushanreddy
was anyone able to make CAS work with Artifactory https://www.jfrog.com/
pvemi
@vphanibhushanreddy
I was able to make it work with Unsolicited SSO SAML
Riley W.
@rileyw
I have had more success with Unsolicited SSO than POST SSO