mmoayyed on master
Migrate to bouncycastle 1.71 jd… Merge branch 'master' into mast… fix theme issue; pac4j upgrade and 29 more (compare)
mmoayyed on 6.6.x
Improve Google Analytics suppor… (compare)
mmoayyed on master
Improve Google Analytics suppor… (compare)
I would like to define the expiration of trusted devices but I can't manage to find the settings to do so.
There used to be
cas.authn.mfa.trusted.expiration but it looks like it has been removed in apereo/cas@a4c49ab
However, I don't understand by which settings the above has been replaced. Can anyone help me please ?
I've got problem with OAuth2 login, when i set in service:
Here's an error:
[1;31m2022-06-27 09:27:09,369 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Invalid or unauthorized grant>[m java.lang.ClassCastException: Cannot cast org.apereo.cas.support.oauth.services.OAuthRegisteredService to org.apereo.cas.services.OidcRegisteredService at java.lang.Class.cast(Unknown Source) ~[?:?] at org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor.getSigningKey(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:67) ~[cas-server-support-oidc-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor.supports(RegisteredServiceJwtTicketCipherExecutor.java:58) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.token.JwtBuilder.build(JwtBuilder.java:154) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder.encode(OAuth20JwtAccessTokenEncoder.java:55) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.encodeAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:134) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.lambda$getAccessTokenResponseModel$2(OAuth20DefaultAccessTokenResponseGenerator.java:116) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4] at java.util.Optional.ifPresent(Unknown Source) ~[?:?] at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.getAccessTokenResponseModel(OAuth20DefaultAccessTokenResponseGenerator.java:115) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generateResponseForAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:102) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4] at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generate(OAuth20DefaultAccessTokenResponseGenerator.java:59) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?] at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
We have been using CAS for our applications' authentication with the regular "CAS Web flow".
One of our newer flows is doing a LoginWithoutTicket instead of credentials. So, in this flow
Can someone please let me know if there is a way to do this? Any suggestions on how to achieve this would be much appreciated.
management.ymlfile. Previous version works, but after upgrade the defaults are used. Somebody here which found this issue and knows a solution how to configure CAS authentication for management app?
Excuse-me, I have a tiny question regarding MFA providers : why all of them have their
order value defined as the
rank provided in properties ? (e.g. https://github.com/apereo/cas/blob/6e29bc0001e3c304375efc5f8cbb04918d8f8691/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/DuoSecurityMultifactorAuthenticationProviderFactory.java#L58)
rankare two different properties : https://github.com/apereo/cas/blob/73f816c9e887cd1c51e3ae12483fac407b3465e2/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/mfa/BaseMultifactorAuthenticationProviderProperties.java#L28-L53
Anyone using Spring Boot with CAS and able to get Single Sign Out to work? Our CAS is version 6.5, and I'm using spring-security-cas version 5.7.2.
I've been working on a Spring Boot app that uses CAS for SSO for days now. Single sign on works great! And I have a logout button within the app that works as well. The problem I'm running in to is Single Logout (SLO) does not work. Meaning when I log out of another application, SLO works everywhere except for this app. When I log out of this app, though, I am logged out of everything else. So it seems like this app here isn't listening for when an SSO session is ended.
Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?
@mmoayyed I had the same problem.
Hey maintainers, I have found a bug in https://github.com/apereo/cas/blame/master/core/cas-server-core-web-api/src/main/java/org/apereo/cas/web/support/CasLocaleChangeInterceptor.java
val locale = new Locale(newLocale);
will work only for values such as
de,... but not for
the correct way would have been
val locale = Locale.forLanguageTag(newLocale);
can you please suggest be how to "hotfix" this without overriding whole class just to fix this line? i am on version 6.5.6
./gradlew bootRunin normal or debugging mode it uses the original file and not the overridden one. seems the
./gradlew bootRundoesnt build the overlay war properly.
Hello friends, someone has this error when debugging cas:
Task :api:cas-server-core-api-configuration-model:generateConfigurationMetadata FAILED
Error: Could not find or load main class org.apereo.cas.configuration.metadata.ConfigurationMetadataGenerator
Caused by: java.lang.ClassNotFoundException: org.apereo.cas.configuration.metadata.ConfigurationMetadataGenerator
Could not find or load main class org.apereo.cas.configuration.metadata.ConfigurationMetadataGenerator
@messageSourcein spel. so looks like i need to fork the
org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver. but may be there is a better way?
i want to customize email templates but cas doesn't find them in the classpath, so i am forced to place them somewhere on the file system outside of the cas.war. this would make deployment harder than it should be. i tried something like
text: classpath:ResetPasswordEmailTemplate.html but then it doesn't find it
Caused by: java.io.FileNotFoundException: class path resource [ResetPasswordEmailTemplate.html] cannot be resolved to absolute file path because it does not reside in the file system: jar:file:/home/user/cas/build/libs/cas.war!/WEB-INF/classes!/ResetPasswordEmailTemplate.html even though the file is there. So it looks like the
EmailMessageBodyBuilder is loading files only from fs.
Any ideas how to solve this?
another question, may be will get some answers ;)
cas is configured to use locale cookie for localization. i use locale resolver which sets request attributes and it works for the whole UI. But the password managment email builder doesn't respect the locale cookie because it uses
request.getLocale() which reads from
here is the snippet from cas email builder
val text = EmailMessageBodyBuilder.builder() .properties(reset) .parameters(parameters) .locale(Optional.ofNullable(request.getLocale()))
any suggestion on how to set request locale somewhere in locale resolver so it works here as well. otherwise i would need to fork the class and make it use request attribute instead of
getLocale(). but that would be very dirty hack
If I only have a Provider, how do I make the delegated authentication redirect directly to it?
I want CAS to be transparent to users and not make them choose which delegated authentication to use.
I'm configure proces on CAS 6.5 to automaticaly go to Dynamic Delegation Resolver View, and then base on email go to providers
So, we're attempting to implement surrogate authentication / impersonation in CAS 220.127.116.11, using a JDBC repository. Basic impersonation works, and I see the new user id pass through to other applications. However we have SAML integrated applications that rely on the email address as the user identifier (not username), and in these situations, all of the attributes are those of the primary, not the surrogate, which results in the SAML authentication passing the primary's email address to the SP application.
I've tried configuring some of the settings related to
cas.authn.surrogate.principal.attribute-resolution-enabled and some of the associated settings, without success.
I guess my question is - is this feature just working 'as intended', and we are correctly seeing the surrogateId of the surrogateUser, with rest of the attributes from the surrogatePrincipal (email, group memberships, etc.) or am I missing a key configuration here?