Replace one jar library in WAR file.

68 views
Skip to first unread message

JakubFr

unread,
Apr 30, 2023, 1:40:50 PM4/30/23
to CAS Community
In CAS 6.4, we used the Duo Security provider for two-factor authentication. This provider communicated with our own MFA solution. That worked great! When CAS was upgraded to version 6.6, it stopped working because the duo_client_java library, from version 0.5.0 (including), they introduced certificate pinning. Unfortunately, I don't have the option to use a certificate from those CAs.

I used cas-overlay gradle.  

Is there any possibility to set a custom certificate using the configuration file? Alternatively, how to replace duo-client-*.jar with a custom version of the duo-client-java library where certificate pinning is disabled?

I'm trying in build.gradle to add exclude(group: "com.duosecurity", module: "duo-client") and in dependencies to add implementation files('customlibs/duo-client-0.5.0.jar'). If I tried  built the library using the jitpack repo, still not working. I also tried on springboot.gradle file add exclude WEB-INF/lib/duo-client-*.jar, also without success. In war still not contain custom version of library.

Is there any way to do this?

Thanks

Petr Fišer

unread,
May 2, 2023, 3:56:08 AM5/2/23
to cas-...@apereo.org, JakubFr
Hello,
Not sure about the config way, sorry. But I would look into CAS bootstrap code for DUO and maybe there is a way to nudge your certificate in... provided the DUO has API for it.
That way you will be patching just the CAS class that bootstraps the DUO... which you can do using src/ folder structure in the overlay project.

If you want to patch the library, and include it as an external dependency, then you need to adjust the build.bradle script:
dependencies {
...
    // because it is a build dependency, gradle automatically stuff it into WAR too
    implementation files("../pac4j/pac4j-saml/target/pac4j-saml-5.3.1.jar")
}

configurations.all {
...
    exclude group: 'org.pac4j', module: 'pac4j-saml'
}

I have this working on a 6.5.x branch of CAS. The pac4j-saml is a library I needed to patch.
The "dependencies" part refers to build dependencies because I have other custom patches hooked onto the pac4j-saml library and I need it at compile time.

Cheers,
Fiisch
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/39bac233-40bd-46fc-b345-0510616a1354n%40apereo.org.

Reply all
Reply to author
Forward
0 new messages