[CAS Services] I'm so lost, please help me

[Cyrus]

Hi everybody,

I'm trying to develop a CASified app with phpCAS. To do so I've installed a CAS server on my computer following this tutorial  : https://apereo.atlassian.net/wiki/spaces/CASUM/pages/103261432/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method

First I installed Tomcat, then Jasig CAS version 3.5.2. I also installed WAMP for my php pages and all was going for the best, after few tweakings as I was trying the example_service.php of phpCAS : https://github.com/apereo/phpCAS/blob/master/docs/examples/example_service.php

But then I swiched to the 5.3.14 apereo version of CAS and I can't connect to CAS anymore, getting the "Application not authorized to use cas".

It seems to be a registry problem, so I gathered infos and here is what I have done :

• I'm on Windows 10
• I've downloaded the Maeven WAR overlay with cas-overlay-template-5.3, imported it in Eclipse, tried few things but finally just added the following lines in the pom.xml :

<dependency>

    <groupId>org.apereo.cas</groupId>

    <artifactId>cas-server-support-json-service-registry</artifactId>

    <version>${cas.version}</version>

</dependency>

• Once that done, I don't know why but Eclipse seemed to download few things before closing (maybe due to what I just added to the pom file). Anyway, I then typed the mvnw clean package to rebuild the server and then pasted the war file in the webapps file of tomcat
• I've looked for cas.properties, to change the properties of cas.serviceRegistry.config.location but finally I think that this file doesn't exist and that I should use the application.properties file in the WEB-INF/classes file. At least this is what I've done adding those two lines :

serviceRegistry.initFromJson=true

serviceRegistry.config.location=file:C:/etc/cas/services

• There is a WEB-INF/classes/services file but I didn't know if the CAS server was checking this file, that's why I definied C:/etc/cas/services as my services file to be sure.
• First I thought that the service wasn't accepted because WAMP was not configure into https, that's why :
• first I tried to add a new json : a copy of HTTPSandIMAPS-10000001.json where I just replace https by http
• but it didn't work so I configure WAMP to allow https connection...but it didn't work.

Finally, when I connect to CAS here is what is written in the address bar : https://localhost:8443/cas2/login?service=https%3A%2F%2Flocalhost%2FCAS_clientproxy%2Fexample_service.php

And if I wasn't previously connected to CAS, the error message says that the registry is empty and does not contain any service definition.

But if I was previously identified it gives me a longer message which says pretty much the same.

• Last thing : I donwloaded the cas-management.war and placed it in the webapps directory of Tomcat. I tried to use it to add new service. On the gui I clicked on add new services tried to had directly https://localhost/CAS_clientproxy/example_service.php (or with a ^ before the address). Couldn't connect without restarting the tomcat. And when I restarted the Tomcat server, it was even worst, not only it still wasn't working, but when I was connecting to CAS-management, the services I added had disappeared.

As you can see I'm really lost, and thus I would be really thankful if somebody could help me.

Thanking you in advance.

[Ray Bon]

Cyrus,

Here is a more up to date tutorial, https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

When doing a new deployment, go with the latest version at least 6.1.x. And note that property names change between versions.

Leave the management app out of this until cas is working.

Add these to the log file

<!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO]

             DEBUG Adding registered service [service URL] -->

<AsyncLogger name="org.apereo.cas.services.AbstractServicesManager" level="debug" />

<!-- outputs only during startup -->

<AsyncLogger name="org.apereo.cas.config" level="debug" />

You can log in to cas without going to a service first, https://cashost/cas/login. Then use the php example apps. Start with basic login, the proxy example requires additional service configuration.

Ray

On Thu, 2020-04-09 at 02:24 -0700, Cyrus wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Cyrus]

Thanks for your answer Ray.

Firstly, I managed to find finally a solution for my problem. I went to the application.yml file and added 

cas:

  serviceRegistry:

    json:

      location: file:///C:/etc/cas/services

And now it's working.

Now, to explain what I'm doing : I'm trying to test the phpCAS proxy files. Everything went for the best with the basic example and login when I was using Jasig CAS 3.5.2 version. But when trying the "example_proxy_serviceWeb.php" I got the following error :

Authentication failure: Ticket validated but no PGT Iou transmitted

So I've looked for an answered and I found one here : https://github.com/apereo/phpCAS/issues/168

"A PGTiou is usually not transmitted if the "service" within the cas server is not proxy enabled (via cas server admin gui) or if the callback authentication to the cas client (your moodle service) fails. This callback is done via https and requires a trusted and matching certificate to be used on the cas client webserver."

So I wanted to proxy enable my service, but couldn't find out how to do it with this old version of CAS but found out, what I thought at the time, was an answer for a 5.X version of CAS. That's why I used that version and had to deal with the service registry issue.

BUT...

Now that my json Service file works, I've added a "proxyPolicy"...but it still doesn't work :

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^(https|imaps)://.*",

  "name" : "HTTPS and IMAPS",

  "id" : 10000001,

  "proxyPolicy" : {

    "@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",

    "pattern" : "^(https|imaps)://.*"

  },

  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",

  "evaluationOrder" : 10000

}

And now I feel like I'm in a dead end :(

But anyway, thanks for your answer again !

[Ray Bon]

Cyrus,

You may need to add to attribute release policy:

{

  "@class": "org.apereo.cas.services.RegexRegisteredService",

  "serviceId": "^https?://clientdev.uvic.ca/proxy/.*",

  "name": "Demo CAS Client proxy client",

  "id": 1512514873495,

  "description": "proxy client",

  "proxyPolicy":

  {

    "@class": "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",

    "pattern": "^https://clientdev.uvic.ca/proxy/pgtCallback"

  },

  "evaluationOrder": 20145,

  "usernameAttributeProvider":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",

    "canonicalizationMode": "NONE",

    "encryptUsername": false

  },

  "attributeReleasePolicy":

  {

    "@class": "org.apereo.cas.services.DenyAllAttributeReleasePolicy",

    "principalAttributesRepository":

    {

      "@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",

      "expiration": 2,

      "timeUnit": "HOURS"

    },

    "authorizedToReleaseCredentialPassword": false,

    "authorizedToReleaseProxyGrantingTicket": true,

    "excludeDefaultAttributes": true

  },

  "multifactorPolicy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "failureMode": "CLOSED",

    "bypassEnabled": false

  },

  "accessStrategy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled": true,

    "ssoEnabled": true,

    "requireAllAttributes": false,

    "caseInsensitive": false

  },

  "publicKey":

  {

    "@class": "org.apereo.cas.services.RegisteredServicePublicKeyImpl",

    "location": "/home/cas/config/keys/client_public.key",

    "algorithm": "RSA"

  },

  "properties":

  {

    "@class": "java.util.HashMap",

    "test":

    {

      "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",

      "values":

      [

        "java.util.HashSet",

        [

          "FALSE"

        ]

      ]

    }

  }

}

The above is what I have for a test service. It was created with the management application. You do not need the public key. I think the pgtcallback has to be an https url. If you are using self signed certs, you will have to add them to the java keystore.

Ray