hing to define a service policy from the service
management to do that ? Or are you seing a better way ?
Thanks,
--
Julien Gribonvald
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Con
On 18/12/2019 19:48, crdaudt wrote:
Is it possible to configure the embedded tomcat container with a RemoteIpValve
setting?
It is possible:
https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto-use-tomcat-behind-a-proxy-server
--
- Website: https://apereo.github.io
.gradle/daemon/5.6.3/daemon-.out.log. However, the tomcat
access_log..log file is still logging the IP address of the load
balancer. Is there a way to cause the access log to also record the IP
address of the client rather than the load balancer? For that matter, is
this a bad idea?
--
Pascal
sion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/95830dcf-aa6a-44df-8c7e-7d84d517f83an%40apereo.org.
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contr
NB: tomcat has many ways to configure http backend behind a rev proxy:
(1) force the values of the connector (secure, scheme...) :
https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html
(2) filter allowed IPs :
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_F
Hi,
When apache or tomcat serves static files, they add "Last-Modified" but no
Expires nor Cache-Control.
In that cas browsers are using heuristics to know how long the file must be
cached.
(
http://stackoverflow.com/questions/14345898/what-heuristics-do-browsers-use-to-cache-resources-not-exp
f-43b4-8acb-e6cba35edd71%40apereo.org?utm_medium=email&utm_source=footer>.
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 4
5-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer>.
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 402 - 90, rue de
On 02/11/2016 21:12, Yan Zhou wrote:
Can you elaborate on JSONP?
> Would app. B now have to know user's password?
No need.
JSONP is pre-CORS. It has some limitations compared to Ajax, but some useful
possibilities, like auto CAS login.
Here is an example of adding auto login in angularJS:
htt
Hi,
Looking at the logs, it seems clear the ticket is validated.
After that, phpCAS "remove the ticket by an additional redirect"
Cf setNoClearTicketsFromUrl in doc :
https://apereo.github.io/phpCAS/api/group__publicAuth.html#gac7a6eeb2bfd55a432c57f5d18bd35048
I suggest "set-cookie: PHPSESSID=x
Solution:
# cas-server-support-trusted-mfa-redis seems to trigger spring-boot
RedisRepositoriesAutoConfiguration, which fails to start with a "redisTemplate"
error
spring.data.redis.repositories.enabled: false
in cas.properties
On 31/10/2021 13:53, Sem van den Broek wrote:
Hi there,
When s
NB : an alternative to cas.server.tomcat.http-proxy.* is
server.tomcat.remoteip.internal-proxies (on CAS 6.4), cf
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
NB2 : it requires rev proxy to set some headers.
- nginx : proxy_set_header X-Forwarded-Pro
Hi,
I was modifying templates and found a way to keep using embedded
tomcat while being able to easily modify the templates (since then I
tried using templates outside of classpath[1]) :
gradle unzipWAR && java -cp
"build/app:build/app/WEB-INF/classes:build/app/WEB-INF/lib/*"
org.spring
0 %9 % 7 %
Pascal Rigaux a écrit :
Hi,
I was modifying templates and found a way to keep using embedded
tomcat while being able to easily modify the templates (since then I
tried using templates outside of classpath[1]) :
gradle unzipWAR &
Hi,
Since "RegexRegisteredService" does not work anymore
(since
https://github.com/apereo/cas/commit/befb293909418fc49afc602382d6d57d64394187#diff-038da8b55c081ccedb1604bbaaa8baed54e070dc9d71c661cfdc207fa5324aa1
)
what about turning the warning "deprecated" into error "removed"?
(in
https://gi
Hi,
In 6.6.x Redis ticket registry key is suffixed with userid (since 6.6.0-RC4)
This is great to know who owns a TGT or a ST.
Alas, this means getting a TGT from Redis now requires a "SCAN"... which is
much more costly.
Example: full "SCAN" is ~100 times slower then "GET" on our production Re
Thanks.
Best regards,
Jérôme
Le jeu. 27 oct. 2022 à 19:59, Pascal Rigaux mailto:pascal.rig...@univ-paris1.fr>> a écrit :
Hi,
In 6.6.x Redis ticket registry key is suffixed with userid (since 6.6.0-RC4)
This is great to know who owns a TGT or a ST.
Alas, this means getti
Hi,
The behaviour you describe used to be possible in old CAS, but it's not
possible anymore.
The question is: why you need this?
And IMHO you should not encode the hash param. ie, you should use login url:
https://10.20.30.40/login?service=https%3A%2F%2F10.20.30.40%2F#/app-dashboard/
The "
There is work in progress on this subject, as can be seen on cas-dev mailing
list: https://www.mail-archive.com/cas-dev@apereo.org/msg00880.html
On 15/11/2022 14:37, Henry Heikkinen wrote:
Have you given up on this Redis ticket registry?
tiistai 8. marraskuuta 2022 klo 12.39.33 UTC+2 robin
On 26/11/2022 22:51, Michael Santangelo wrote:
Hello all,
Is there any way to upgrade the Tomcat version included with CAS independently
of upgrading CAS itself?
We are currently running Tomcat 9.0.58 that appears to be bundled with CAS, and
I'm trying to update to the latest 9 build (I think
d an email to
cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/886aeb8e-0c19-47c4-8dcd-59ad2bbb42dbn%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/8
ostname / proxy configuration. Any
suggestions?
Thanks,
Richard
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-PAS (Pôle Applications et Services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 04 08 - 90, rue de To
Hi,
To avoid performance issues with Redis ticket registry on 6.6.x, we switched to
MongoDB ticket registry.
I was really astonished that MongoDB was using as much CPU as CAS Java, and was
causing a lot of iowait.
After looking around, I found a mostly unused text index:
name: 'json_text
Hi,
Throttling protects against brute force, so the time you refresh the page
*manually* the throttling has been removed.
We have the exact same throttle conf. This conf allows 1 error per 2.5 seconds:
you must wait 2.5 after a failure otherwise it will be rejected.
Our integration tests this:
P" in the context of uPortal:
https://github.com/EsupPortail/ProlongationENT/blob/master/utils/uportal43/layout.jsp
(wrapper around layout.json)
cu
--
Pascal Rigaux
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelin
As written in the pull request: "not tested"
On 08/03/2018 12:11, Stefano Nucci wrote:
Hello I tried your fix but there are errors. Are you sure is ok?
Il giorno mercoledì 31 gennaio 2018 18:01:21 UTC+1, Pascal Rigaux ha scritto:
Note that if you disable encry
Le 18/04/2018 à 14:21, Karl Banke a écrit :
(d) If you chose not to encrypt the JWT payload, you may rest assured that you
get another problem, because someone chose to Base64 encode the payload
twice rather than once.
About this issue, see: https://github.com/apereo/cas/pull/3179
--
- Websit
.html#signing--encryption-5
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 407 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
T
Hi,
Look at https://github.com/toshipiazza/ngx-http-cas-client-lua
I may try it in the future:
- I would simplify it a bit by replacing "generate_cookie" with using the
"ticket" as the cookie (as done in phpCAS, which simplifies SLO)
- I also would add "REMOTE_USER" handling
cu
On 11/03/2019
Hi,
I have created a functional nginx-auth-cas-lua, quite simple and more
similar to mod_auth_cas:
https://github.com/prigaux/nginx-auth-cas-lua .
It is not tested in production yet. But i do have nginx-lua in
production for https://framagit.org/snippets/2820 .
cu
Pascal Rigaux a écrit
Hi, is your app really only static html & js?
If that's the case, you can't use CAS:
- you need some server side code to call serviceValidate
- mod-auth-cas can validate, check authorization, but it can't be used
as a web-service that will return user attributes. You still need some
apache SS
was the point I was afraid of...
Maybe you can point me what exactly should I look for to use with our CAS ?
понедельник, 12 декабря 2016 г., 22:52:03 UTC+2 пользователь Pascal Rigaux
написал:
Hi, is your app really only static html & js?
If that's the case, you can't u
On 06/04/2017 10:46, Petr Gašparík - AMI Praha a.s. wrote:
1. Try SPNEGO auth
2. If it fails, show browser dialog for Kerberos login (L/P from AD)
3. If it fails, show login page for LDAP auth
Now, how to get rid of step 2?
You can't do it for Internet Explorer or Chrome on Windows.
That's
neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2017-04-06 12:06 GMT+02:00 Pascal Rigaux :
On 06/04/2017 10:46, Petr Gašparík - AMI Praha a.s. wrote:
1. Try SPNEGO auth
2. If it fails, sh
ular-seed-phpCAS
cd angular-seed-phpCAS
bower install
You need phpCAS :
https://wiki.jasig.org/display/CASC/phpCAS+installation+guide
Happy CAS,
cu
[*] if your first page is static AND CAS protected, you must ensure it
is not browser cached
--
Pascal Rigaux
--
- CAS gitter chatroom: https:/
day, July 8, 2017 at 6:39:57 PM UTC+2, Pascal Rigaux wrote:
Hi,
Do you really need the handle username/password? Most CAS applications
avoid this since it breaks SSO.
A simple solution for AngularJS application is to do as many other
apps: require a valid session an all html pages [*]
Example : ht
Hi,
Here for old javas we have "SSLHonorCipherOrder off" + a cooked SSLCipherSuite
https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#javadh
On 13/11/2017 09:52, zl anson wrote:
Hello, everyone,
I used CAS5.1 server on centos, and the jdk is 1.8
and the CAS client use jbo
server and the port it doesn't
show any error
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscrib
working with CAS 5.
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Comm
on the domain that the user went
through?
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
On 12/12/2017 08:33, Sebastien BEAUDLOT wrote:
Header set X-Frame-Options "ALLOW-FROM=https://websitewithiframe.tld";
Hi,
Bad syntax, replace "=" with " ".
cu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
t
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bdc018b-c9c2-4e66-97b0-0b81efde78e6%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bdc018b-c9c2-4e66-97b0-0b81efde78e6%40apereo.org?utm_medium=email&utm_source=footer>.
--
Pascal Rigaux
Expert en d
palImpl(principal, attributes));*
* }*
....
}
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 407 - 90, rue de Tolbiac - 75634 PARIS CEDE
On 15/12/2017 16:11, Didier Capdevielle wrote:
What exactly do jwtAsServiceTicket vs jwtAsResponse ?
jwtAsServiceTicket replaces jwtAsResponse.
(cf
https://github.com/apereo/cas/commit/b163f59b2376a4cceda0640be91bbc895fac6f3e )
No errors in log : TGT then ST then ST Validate but after that,
Note that if you disable encryption with
cas.authn.token.crypto.encryptionEnabled=false
The payload will be double base64 encoded. I created a fix here:
https://github.com/apereo/cas/pull/3179
On 31/01/2018 17:01, Pascal Rigaux wrote:
On 15/12/2017 16:11, Didier Capdevielle wrote:
What
ceiving emails from it,
send an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3OSz1wh_d8UOEYsVKwcAQoUB0z8GNJq8rS9pQGFb4rdg%40mail.gmail.com.
--
Pascal Rigaux
--
- Website: https://apereo.github.io
Hi
Various possibilities :
https://prigaux.frama.io/cas-spa-docs/
But really the easiest solution is "same session for html and api"
See https://framagit.org/prigaux/cas-angular-example/-/commits/master for
examples.
( https://prigaux.github.io/presentation-SPA-CAS/ is french only )
Cu
Hi,
AFAIK you are only vulnerable if you use "inline groovy" scripts
(as can be seen in
https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policy-InlineGroovy.html
)
So AFAIK groovy scripts in their own xxx.groovy file are not vulnerable
(non vulnerable examples: "cas.authn.mfa.g
Hi,
Google Chrome has started trying https when asked http URLs :
https://blog.chromium.org/2023/08/towards-https-by-default.html
What is not clearly mentioned is the fallback on http: it will also happen if
the https response is too slow (3 seconds).
This impacted an application here that wor
On this subject, see
https://github.com/apereo/cas/commit/1d9b5bad50493d6bca62f8e0ca38ca21c66199aa#r116140207
(*) where I explain two possibilities:
* hash not encoded in service :
https://cas/login?service=http://localhost/#foo=bar
It happens when user browses http://localhost/#foo=bar and t
7; via CAS Community wrote:
seems your declined PR at https://github.com/apereo/cas/pull/5627/files got now adopted by re-worked MongoDB support
https://github.com/apereo/cas/commit/d7830d0d6ab47234abfd89b145c17f240f053170
On Saturday, April 1, 2023 at 12:23:41 PM UTC+2 Pascal Rigaux wrote:
Hi,
You can *not* do CAS protocol with XHR-CORS (you can't follow HTTP 302 and have
CAS cookies)
You have to *redirect* to a page that does the login (or use JSONP).
This may help: https://prigaux.frama.io/cas-spa-docs/
cu
On 12/09/2024 13:54, 'Oscar Alonso' via CAS Community wrote:
Hello,
Hi,
Since upgrading from 6.6 to 7.0, we had some memory leak like behavior: +500M
used memory per week.
After investigation, it only occurs when you have many many different CAS
"service" urls (query params are taken into account)
For example https://userphoto.univ.fr/?uid=xxx&v=
The culprit
53 matches
Mail list logo
