apereo/cas

Apereo CAS - Single Sign On for All

springnirps

@springnirps

Has anyone gotten junit to work with CAS 6.3.7 or newer? If so, how were you able to enable this? I always get a : UnknownClass.JUnit Jupiter > UnknownClass.initializationError FAILED
org.junit.platform.commons.JUnitException at EngineExecutionOrchestrator.java:114
Caused by: java.lang.NoClassDefFoundError at OpenTest4JAndJUnit4AwareThrowableCollector.java:58
Caused by: java.lang.ClassNotFoundException at BuiltinClassLoader.java:583

UnknownClass.JUnit Jupiter FAILED

thomas-bee

@thomas-bee

in 6.4.2, curl <server>/cas/oidc/oidcAuthorize without or with proper parameters throws a internal server error 500, while it worked fine in 6.4 RC4. Any pointers?

juanmariareina

@juanmariareina

Hello everybody!

I'm struggling with configuring database auth. I see the following message:

ERROR [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - <DecryptionException>

CAS 6.5, BTW

Łukasz

@lgwozniak

Hello is there possibility to redirect someone from login page to Office365 automaticly ?

mijutu

@mijutu:ellipsis.fi

[m]

If ?service= parameter points to a service that only has the Office365 login allowed, then I'd think that cas would redirect there automatically. Try adding to service registry json: "accessStrategy" : { delegatedAuthenticationPolicy" : { "allowedProviders" : [ "java.util.ArrayList", [ "client-name-from-cas-properties"

Lars Grefer

@larsgrefer

Hi everyone,

while working on #5305 I noticed something strange:

cas-server-support-bom:6.4.0 contains dependency management for jarkarta.mail:1.6.5 but the cas-server-webapp-tomcat:6.4.0 war file ships with jarkarta.mail:1.6.7

where does this discrepancy come from?

choidkdk

@choidkdk

Hello everybody!
Can I use old version CAS Client with lastest CAS Server? Like phpCAS v1.3.8 with CAS v6.5?

Łukasz

@lgwozniak

@mijutu:ellipsis.fi but someone need to klik on button "Login as Office365" I want to have that option in login flow. with some parameter in request

Łukasz

@lgwozniak

Any one was logging with OAuth 2.0 to CAS with Office365 ?

‍‍‍‍‍‍‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ z

@VrowardKid_twitter

why am i here?

i clicked my school website and took me to this

Łukasz

@lgwozniak

@mmoayyed I've got problem with logging with O365 with OAuth2 on CAS v.3.7.1. I go to redirect callbackAuthorize, when i change to authorize everything is good.

Łukasz

@lgwozniak

I thinking if this is solution for my problems apereo/cas#5321

marqc

@marqc

Hi. I have problem with my cas configuration. I have 2 authentication sources named DOMAIN and EXTERNAL. I Also have service definition that require user to be logged in through DOMAIN authn

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "myclientid",
  "clientSecret": "myclientsecret",
  "serviceId" : "https?://(localhost|[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+).*",
  "name": "oidc",
  "id": 17,
  "supportedGrantTypes" : ["java.util.HashSet", ["authorization_code", "refresh_token"]],
  "encryptIdToken" : true,
  "bypassApprovalPrompt" : true,
  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  },
  "authenticationPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",  
    "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "DOMAIN" ]],
    "excludedAuthenticationHandlers" : ["java.util.TreeSet", [ "EXTERNAL" ]],
    "criteria": {
      "@class" : "org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
    }
  }
}

If I attempt to sign in directly to this service providing DOMAIN credentials, then everything works fine.
But if I start by signing in with EXTERNAL credentials and already have cas session, and then I try to sign in to this service i keep getting loginForm. Even thought I provide correct credentials for DOMAIN it still returns UNSATISFIED_AUTHN_POLICY message. In CAS logs I can see that AuthenticationPolicy passes with "Authentication policy is satisfied having found at least one authentication transactions" message. I don't really know what is blocking the flow later.
I need to logout from cas and retry login to make it work again but I don't want to give up sso functionality.
I'm using CAS version 6.4.3.
I'll be thankful for any hints.

lshc

@lshc666

How to fix the rce vulnerability of log4j2?

Łukasz

@lgwozniak

https://logging.apache.org/log4j/2.x/security.html create PR

@mmoayyed there is requirement to upgrade log4j2 to 2.15.0

1 reply

lshc

@lshc666

Or where to configure log4j2.formatmsgnolookups = true.

My current version is 6.2.6, Docker mode deployment.

2 replies

Manuel Cones

@manuelcones_gitlab

Hello Everyone.

can we add log4j2.formatMsgNoLookups=true to the cas properties file to mitigate the log4j vulnerability?

magenta-pixel

@magenta-pixel

Is CAS actually impacted by the log4j vulnerability? I don't believe so. CAS uses slf4j and pipes to log4j. There is alot of noise ATM -- wanting to make sure it's much ado over something or we end up unnecessary work due to the noise.

lshc

@lshc666

I started using it, how to customize the JVM startup parameter -Dlog4j2.formatmsgnolookups = true? Docker Run - Name Cas_Service Apereo / CAS: V6.2.6 / bin / sh /cas-overlay/bin/run-cas.sh

lshc

@lshc666

@lgwozniak
https://logging.apache.org/log4j/2.x/security.html create PR
@mmoayyed there is requirement to upgrade log4j2 to 2.15.0

1 reply

choidkdk

@choidkdk

Hi guys, I got this error while try to build cas overlay template. 😰

release version 11 not supported

My Gradle info

------------------------------------------------------------
Gradle 7.3.1
------------------------------------------------------------

Build time:   2021-12-01 15:42:20 UTC
Revision:     2c62cec93e0b15a7d2cd68746f3348796d6d42bd

Kotlin:       1.5.31
Groovy:       3.0.9
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          11.0.12 (Red Hat, Inc. 11.0.12+7-LTS)
OS:           Linux 4.14.256-197.484.amzn2.x86_64 amd64

5 replies

Yasin Dahi

@ymdahi

can we add log4j2.formatMsgNoLookups=true to the cas properties file to mitigate the log4j vulnerability?

This is what the official patching guide seems to infer (https://apereo.github.io/2021/12/11/log4j-vuln/#patching)
As someone new to CAS, my question is: how do I know that the patch (java -Dlog4j2.formatMsgNoLookups=true -jar cas.war) was applied successfully?

2 replies

Wendel Schultz

@wendelicious

I'm running a fairly old CAS version (5.2.1), which I know is not supported. Seems that I'm seeing some very odd OpenJDK exceptions thrown: at com.codahale.metrics.jvm.FileDescriptorRatioGauge.invoke(FileDescriptorRatioGauge.java:48)

1 reply

I've seen that updating to Spring Boot 2.0 is one way to fix this. My question is: can Cas 5.2.x run on Spring Boot 2.0 ?

Currently configured with Spring Boot 1.5.8.RELEASE

java.lang.reflect.InaccessibleObjectException: Unable to make public long com.sun.management.internal.OperatingSystemImpl.getOpenFileDescriptorCount() accessible: module jdk.management does not "opens com.sun.management.internal" to unnamed module

Wendel Schultz

@wendelicious

Alternatively, upgrading the io.dropwizard.metrics libraries to 4.0.x can also address this. Is this an option running on Spring Boot 1.5.8 ?

Wendel Schultz

@wendelicious

Also relevant: https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

2.15.0 might not be "enough."

choidkdk

@choidkdk

Can I change server prefix to empty?
Example, after build-run my service run on https://localhost:8443/cas I can to remove /cas keep https://localhost:8443/.
Had try to update cas.server.prefix but not working :(

1 reply

Francois Hervet

@20010941

Hello ! Regarding log4j2 security vulnerability, we want to upgrade to the latest CAS version (6.4.4.1). But the problem is that the dependency seems to not be present on Maven Central, we cannot find it... Can you help please?

William VINCENT

@wixaw

Hello,
i have same error to @choidkdk , but i have docker-compose and i use cas-overlay-template/tree/6.3 .
this error happens when I use 'docker-compose build'.
I will not install openjdk because I am in a container .
thanks for your help

Building cas
Step 1/20 : FROM adoptopenjdk/openjdk11:alpine-slim AS overlay
 ---> 68d79b94d8b9
Step 2/20 : RUN mkdir -p cas-overlay
 ---> Using cache
 ---> 2fbf67e30ccc
Step 3/20 : COPY ./src cas-overlay/src/
 ---> 492ae4217531
Step 4/20 : COPY ./gradle/ cas-overlay/gradle/
 ---> d44ca8ef2c0e
Step 5/20 : COPY ./gradlew ./settings.gradle ./build.gradle ./gradle.properties /cas-overlay/
 ---> 6c0d5aaa1d06
Step 6/20 : RUN mkdir -p ~/.gradle     && echo "org.gradle.daemon=false" >> ~/.gradle/gradle.properties     && echo "org.gradle.configureondemand=true" >> ~/.gradle/gradle.properties     && cd cas-overlay     && chmod 750 ./gradlew     && ./gradlew --version;
 ---> Running in 17e37e5f3ced
Downloading https://services.gradle.org/distributions/gradle-7.3.1-bin.zip
...........10%...........20%...........30%...........40%...........50%...........60%...........70%...........80%...........90%...........100%

Welcome to Gradle 7.3.1!

Here are the highlights of this release:
 - Easily declare new test suites in Java projects
 - Support for Java 17
 - Support for Scala 3

For more details see https://docs.gradle.org/7.3.1/release-notes.html


------------------------------------------------------------
Gradle 7.3.1
------------------------------------------------------------

Build time:   2021-12-01 15:42:20 UTC
Revision:     2c62cec93e0b15a7d2cd68746f3348796d6d42bd

Kotlin:       1.5.31
Groovy:       3.0.9
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          11.0.8 (AdoptOpenJDK 11.0.8+10)
OS:           Linux 4.18.0-348.2.1.el8_5.x86_64 amd64

Removing intermediate container 17e37e5f3ced
 ---> f0df1a5519e8
Step 7/20 : RUN cd cas-overlay     && ./gradlew clean build --parallel --no-daemon;
 ---> Running in 89755da20e71
To honour the JVM settings for this build a single-use Daemon process will be forked. See https://docs.gradle.org/7.3.1/userguide/gradle_daemon.html#sec:disabling_the_daemon.
Daemon will be stopped at the end of the build 
Configuration on demand is an incubating feature.
> Task :clean
> Task :extractCasBootWarOverlay
> Task :bootBuildInfo
> Task :generateMainEffectiveLombokConfig1
> Task :checkLombokConfig
> Task :compileJava FAILED

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.3.1/userguide/command_line_interface.html#sec:command_line_warnings
6 actionable tasks: 6 executed

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> error: release version 11 not supported

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 53s

juandn

@juandn

hello!, we update from 6.4.0 to 6.4.4 due to log4shell cas config working well but we have this error when return fron azureAD delegated auth, any thoughs?

java.lang.IllegalAccessError: class org.pac4j.oidc.profile.creator.OidcProfileCreator tried to access protected method 'void com.nimbusds.oauth2.sdk.ProtectedResourceRequest.<init>(java.net.URI, com.nimbusds.oauth2.sdk.token.AccessToken)' (org.pac4j.oidc.profile.creator.OidcProfileCreator and com.nimbusds.oauth2.sdk.ProtectedResourceRequest are in unnamed module of loader org.springframework.boot.loader.LaunchedURLClassLoader @277050dc)
    at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:94)
    at org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:126)
    at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:105)
    at org.apereo.cas.support.pac4j.authentication.handler.support.DelegatedClientAuthenticationHandler.doAuthentication(DelegatedClientAuthenticationHandler.java:78)
    at org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:44)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

Michry-BBN

@BbnMichry_twitter

Hello I'm using CAS 6.4.2 (log4j 2.14.1) i rebuilding the project and i add these lines

-- add to build.gradle dependencies section

implementation "org.apache.logging.log4j:log4j-api:2.16.0"
implementation "org.apache.logging.log4j:log4j-core:2.16.0"
implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
implementation "org.apache.logging.log4j:log4j-web:2.16.0"
implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"

-- add to the end of build.gradle

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j2.12..jar","WEB-INF/lib/log4j2.14..jar"]
}
}
}

the buid is OK successfull so i want to know if my CAS use log4j2.16 now and how to verify it????

Rafiek

@rafiek

unzip -l cas.war | grep log4

Should only contain 2.16.0

Michry-BBN

@BbnMichry_twitter

Thank @rafiek but it's always 2.14

it's ok i juste want to copy the new cas.war

Michry-BBN

@BbnMichry_twitter

Hello guys i just install cas 6.4.4.1 for remove log4j vulnability so i want to customize my CAS login view et logout view any idea ou suggestion please

Gandhi Reddy P

@gandhireddy

Hi, We are currently using 6.3.2 version of CAS. To fix the log4j Vulnerability, we have upgraded the cas version to 6.3.7.4. After updating the version, we are facing the below issue

> Could not resolve all files for configuration ':casBootWarOverlay'.
   > Could not resolve org.apereo.cas:cas-server-webapp-tomcat:6.3.7.4.
     Required by:
         project :
      > Cannot choose between the following variants of org.apereo.cas:cas-server-webapp-tomcat:6.3.7.4:
          - master
          - samplessources
        All of them match the consumer attributes:
          - Variant 'master' capability org.apereo.cas:cas-server-webapp-tomcat:6.3.7.4:
              - Unmatched attributes:
                  - Provides org.gradle.status 'release' but the consumer didn't ask for it
                  - Provides org.gradle.usage 'java-runtime' but the consumer didn't ask for it
          - Variant 'samplessources' capability org.apereo.cas:cas-server-webapp-tomcat:6.3.7.4:
              - Unmatched attributes:
                  - Provides org.gradle.category 'documentation' but the consumer didn't ask for it
                  - Provides org.gradle.docstype 'samplessources' but the consumer didn't ask for it
                  - Provides org.gradle.status 'release' but the consumer didn't ask for it

As per the gradle documentation, looks like there are multiple variants. Can you please help me to resolve this issue?

1 reply

Pavel Horal

@pavelhoral

Hello, is there a way to disable "forgotten username" feature while leaving "reset password"? To me it seems that there is no toggle nor any easy way how to have only reset password.

(working with the newest CAS release)

infinity202

@infinity202

hello, I am completely lost within the Apereo helpfile system. It contains so many looping links to identical pages that I have been reading the same pages for about 2,5 hours now.

Where communities thrive

People

Repo info

Activity