CAS5.1 ,Application Not Authorized to Use CAS , no service registry issue.???

[zl anson]

hello, 

    I had used CAS4.2.7, and it works well, I can use  java and .net client to redirect to CAS server.

    But now , when I used  a new machine and deployed CAS5.1, the java and .net client are all not work, it shows the service is not registered

----------

Application Not Authorized to Use CAS

The services registry of CAS is empty and has no service definitions. Applications that wish to authenticate with CAS must explicitly be defined in the services registry.

----------

 I had copy the  json file in service folder from  4.2 to 5.1, and the regular expression should work

I only find the "deployConfigContext.xml" in 4.2 between 5.1 is huge difference,  In 4.2 it had   “serviceRegistryDao”， but it had not in 5.1,  is

this is the reason, or else? anybody can help me is appreicaly, thanks.

[Doug C]

I had this happen as well.  I fixed it by adding the following line to the overlay etc/cas/config/cas.properties file:

cas.serviceRegistry.initFromJson=true

This seemed to cause the default service registry description files to be read in but they only allow HTTPS and IMAPS services.  So in addition I also created the following directory structure in the overlay:  src/main/webapp/WEB-INF/classes/services/ and then added a file named HTTP-10000003.json with the following content:

{
  /*
    Generic service definition that applies to http urls
    that wish to register with CAS for authentication.
  */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^http://.*",
  "name" : "HTTP",
  "id" : 10000003,
}

By adding this extra service definition I was also able to use CAS with my HTTP urls as well.

Note:  I also tried to set cas.serviceRegistry.config.location=file:/etc/cas/services in the cas.properties file and then place the new service definition file there but it never seemed to want to read it.  I think I did stumble across one bug report that indicated that setting it to anything besides classpath:/services wasn't working but that it was fixed in the v5.2.0.

[David Curry]

To use a separate JSON registry (e.g., /etc/cas/services/), you have to add the

cas-server-support-json-service-registry

dependency to pom.xml and rebuild the server. Then you can set

cas.serviceRegistry.config.location:    file:/etc/cas/services

and put your service declarations in there.

See https://apereo.github.io/cas/5.1.x/installation/JSON-Service-Management.html for the full documentation.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e82ca7c-aecf-4940-8f33-072857afed7a%40apereo.org.

[Doug C]

Actually, when I did that, it did not work.  This appears to be a bug that has been fixed in CAS 5.2.0 RC2 as mentioned at https://apereo.github.io/2017/08/04/520rc2-release/#minors.

"Service registry initialization from JSON is now able to honor service definitions found at the path specified via settings, rather than only loading those found on the classpath’s services directory."

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[David Curry]

You're mixing two different things. The bug fix (more of a feature enhancement) you describe was to the automatic service registry initialization feature described here: https://apereo.github.io/cas/development/installation/InMemory-Service-Management.html#auto-initialization

That's not (at least as I understand it) the same thing as the JSON service registry itself, which is added with a separate dependency as I described (although it probably gives you the same result).

Adding the dependency to pom.xml:

<dependency>

    <groupId>org.apereo.cas</groupId>

    <artifactId>cas-server-support-json-service-registry</artifactId>

    <version>${cas.version}</version>

</dependency>

and re-running mvnw clean package, and then adding 

cas.serviceRegistry.config.location:    file:/etc/cas/services

to cas.properties and then making a service description like this in /etc/cas/services/wildcard.json (or whatever):

{

  /*

   * Wildcard service definition that applies to any https or imaps url.

   * Do not use this definition in a production environment.

   */

  "@class" :            "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" :         "^(https|imaps)://.*",

  "name" :              "HTTPS/IMAPS wildcard",

  "id" :                20170905111650,

  "evaluationOrder" :   99999

}

should work. Don't forget to restart the server. :-)

At least, it works just fine for me on CAS 5.1.3. When the CAS login page is displayed, you should see whatever string is in the name field of the JSON displayed at the top right of the page in a light blue box. That's how you know which registry entry matched.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d550fcb5-efa4-4720-99bf-5a0e88184da5%40apereo.org.

[Doug C]

Thanks!  That is really odd.  I tried that earlier but couldn't get it to work so I just reverted to storing it in the classpath.  Maybe I just messed something up though when I was testing as I am testing a lot of things that are new to me as I try to update my very old CAS 3.x to 5.1.3.  More odd is that I don't have the dependency added in my pom.xml file, I only set cas.serviceRegistry.initFromJson=true and that was enough to have my service definition read from the classpath;/services directory.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d550fcb5-efa4-4720-99bf-5a0e88184da5%40apereo.org.

[Pedro Rosas]

Hello,

I'm using the latest version of CAS at the moment (5.3.3) and I want to customize the UI of the login screen.

I followed the approach defined here https://apereo.github.io/2018/06/10/cas-userinterface-customizations on the "Themes" section.

Summing up, these are the steps that I executed:

1. Git Clone of the CAS overlay template here https://github.com/apereo/cas-overlay-template
   
2. Switch to the 5.3 branch
   
3. Added the cas-server-support-json-service-registry dependency to the pom file on the "default" profile
   
4. Executed the mvnw clean package command
5. Added the "cas.serviceRegistry.config.location: file:/etc/cas/services" entry to the cas.properties file
6. Added the /etc/cas/services/myservice.json file with the "theme" property set to "mytheme"
7. Added the theme files to /src/main/resources/static/themes/mytheme:
   
1. /src/main/resources/static/themes/mytheme/css/cas.css
   
2. /src/main/resources/static/themes/mytheme/js/cas.js
   
8. Run the application on tomcat
9. Access to http://localhost:8080/cas-overlay/login?service=https://www.myservice.com  as defined on step 6

Unfortunately, the only message I receive is "Application Not Authorized to Use CAS".

Do you guys have any idea what I could be missing?

I have deeply searched this issue and applied many suggestions but nothing seems to help..

I have tried CAS 5.3.2 but no success too.

Thanks.

Best Regards,

  Pedro Rosas

[Doug Campbell]

Pedro,

 

I think you want to use

 

cas.serviceRegistry.json.location=file:/etc/cas/services

 

instead of

 

cas.serviceRegistry.config.location: file:/etc/cas/services

 

I am just looking at my configuration and that is what I have and I seem to remember this property name changing recently and this tripping me up.  Give it a try.

 

Doug

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e9f1089-c3ac-4446-bddf-09697f4ba97f%40apereo.org.

[Pedro Rosas]

Hi Doug,

Thanks for your quick reply.

I have tried your suggestion, but it also did not work.

I can change the main css, using the overlay and creating the "/src/main/resources/static/css/cas.css".

But I really wanted to have themes for each application.

It seems to me that either the cas.properties or the myservice.json files are not being loaded.

Do you know if there is any way I can "query" CAS to list the currently registered services?

Best Regards,

  Pedro Rosas 

[Doug Campbell]

Sorry I am not sure what to tell you.  I assume your cas.properties file is located at /etc/cas/config/cas.properties.  Also, you could try increasing the logging to see if anything interesting shows up in the logs.  I don’t know how to list the currently registered services or even if it is possible.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c75906c4-a881-4382-a6ce-8c23db6fb08e%40apereo.org.

[Andy Ng]

Hi Pedro,

To see whether or not your service is being loaded, turn on CAS debugger mode and look at the logs. 

The (cas.serviceRegistry.xxxxx.location) is based on CAS version, so you should look for the config for your CAS version:

cas.serviceRegistry.json.location=file:/etc/cas/services [CAS 5.3.x https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#json-service-registry]

cas.serviceRegistry.config.location: file:/etc/cas/services [CAS 5.1.x https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#resource-based-jsonyaml-service-registry]

In your case [cas.serviceRegistry.json.location=file:/etc/cas/services] is correct.

On possible issue might be the location of your cas.properties:

Your cas.properties need to be on your server instead of inside your source code, if you only edit the cas.properties provided by CAS War Overlay and compile it into your cas.war, it will have no effect to your CAS server.

Cheers!

-Andy

[Pedro Rosas]

Hi Andy,

I'm editing the cas.properties provided by the CAS overlay template.

Do you mean that this is the wrong place to edit the cas.properties?

I searched for a cas.properties file on the "target" folder, but there is no such file there.

Should I manually copy the cas.properties file to the "target" folder? (I'm using tomcat).

Where should the file be placed exactly?

Thanks.

Best Regards,

  Pedro Rosas

[Andy Ng]

Hi Pedro,

I'm editing the cas.properties provided by the CAS overlay template.

Do you mean that this is the wrong place to edit the cas.properties?

> Yes, it is the wrong place to edit the cas.properties

Should I manually copy the cas.properties file to the "target" folder? (I'm using tomcat).

> No

Where should the file be placed exactly?

> So you are using tomcat correct? Do you have access to the server? If so, create a folder directory like this

/etc/cas/config

and then copy the cas.properties file into the above directory. (finally should be /etc/cas/config/cas.properties)

And... If you are using Windows, the directory should be C:/etc/cas/config

It is by design that the cas.properties is not included in your cas.war, so the properties can be separated from your build. 

If you need to include your properties inside your war file, consider adding them inside application.yml

Cheers!

- Andy

[Pedro Rosas]

Hi Andy,

I am using tomcat on Windows 10.

I'm also using the Netbeans IDE to load the cas overlay (maven version).

I created the C:\etc\cas\config and I have put there the cas.properties, with the following content:

cas.server.name: https://cas.example.org:8443

cas.server.prefix: https://cas.example.org:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

logging.config: file:/etc/cas/config/log4j2.xml

cas.serviceRegistry.initFromJson: true

cas.serviceRegistry.json.location: file:/etc/cas/services

But, I'm still not getting it to work.

This is what I get on the log file:

2018-09-23 19:43:29,301 WARN [org.apereo.cas.config.CasCoreServicesConfiguration] - <Runtime memory is used as the persistence storage for retrieving and persisting service definitions. Changes that are made to service definitions during runtime WILL be LOST when the web server is restarted. Ideally for production, you need to choose a storage option (JDBC, etc) to store and track service definitions.>

2018-09-23 19:43:29,367 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [0] service(s) from [InMemoryServiceRegistry].>

And when I try to access http://localhost:8080/cas-overlay/login?service=https://www.example.com

I always get the message:

The services registry of CAS is empty and has no service definitions. Applications that wish to authenticate with CAS must explicitly be defined in the services registry.

I'm running out of ideas....

How could I get this running? Maybe using application.yml instead?

Thanks.

Best Regards,

  Pedro Rosas

[Pedro Rosas]

Additionally, I forgot to mention that I have added to the "C:\etc\cas\services" folder the "myservice-1001.json" file with the following content:

{

  "@class" :            "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" :         "^https://www.example.com",

  "name" :              "HTTPS/IMAPS wildcard",

  "id" :                     1001,

  "evaluationOrder" :   99999,

  "theme" :             "mytheme"

}

---

Thanks.

  Pedro Rosas

[Andy Ng]

The service file should be: src/main/resources/service/myservice-1001.json

[Pedro Rosas]

Hi Andy and all,

Thank you very much for your support, it was precious to me!

I finally got it up and running.

I probably messed up something, cause I repeated the whole process from scratch and it is working now.

I got the myservice-1001.json under the C:/etc/cas/services directory.

Best Regards,

  Pedro Rosas

[Andy Ng]

Oops maybe I remember incorrectly about the service directory.
Anyway, glad to help:D

Cheers!
-Andy