cas.properties reference

[spfma...@e.mail.fr]

Hi,

 

Is there a global reference for all available configuration properties, with some description ?

 

While trying to configure SPNEGO, the documentation mentions "Make sure you have at least specified the JCIFS Service Principal in the CAS configuration".

But how can I do that ?

 

I have found examples with "cas.authn.spnego.properties.jcifs-service-principal" or "cas.authn.spnego.jcifsServicePrincipal" but all these syntaxes are rejected. Their references have links to Jasig website, so I guess I need something more recent :-) But I was not able to find anything so far.

 

 

Regards

---

FreeMail powered by mail.fr

[Ray Bon]

Use the kabob case version (it is the new format). 'properties' is an array.

cas.authn.spnego.properties[0].jcifs-service-principal

Ray

On Thu, 2022-02-17 at 12:43 +0100, spfma...@e.mail.fr wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[spfma...@e.mail.fr]

Hi,

 

Thank you very much for your help !

 

Even if it is still not working, I see in the logfiles that the parameter is now taken recognized.

So it's confusing when there is no error but the parameter is still ignored !

 

Here is what I have, it looks like all the config blocks I have seen coming from previous versions ::

 

cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit, curl
cas.authn.spnego.system.login-conf=file:///etc/jaas.conf
cas.authn.spnego.system.kerberos-conf=file:/etc/krb5.conf
cas.authn.spnego.system.kerberos-realm=MY_REALM
cas.authn.spnego.system.kerberos-kdc=krb-master.my.domain
cas.authn.spnego.properties[0].jcifs-service-principal=HTTP/ssodev.my.domain@MY_REALM
cas.authn.spnego.system.kerberos-debug=true
cas.authn.spnego.mixed-mode-authentication=true
cas.authn.spnego.send401OnAuthenticationFailure=false
cas.authn.spnego.ips-to-check-pattern=.+
cas.authn.spnego.ntlm-allowed=true
cas.authn.spnego.ntlm=false
cas.authn.spnego.spnego-attribute-name=sAMAccountName
cas.authn.spnego.ldap.base-dn: dc=my,dc=domain
cas.authn.spnego.ldap.bind-credential: PASS
cas.authn.spnego.ldap.bind-dn: cn=casldap,dc=my,dc=fr
cas.authn.spnego.ldap.ldap-url: ldaps://ldap.my.domain:636
cas.authn.spnego.ldap.search-filter: (uid={user})

 

 

So maybe my other SPNEGO and CIFS properties need to be adjusted too ?

 

Regards

[Ray Bon]

I keep a copy of the cas project locally. I use it to search for properties, log messages and classes.

$ grep -rln cifsServicePrincipal     # leave out the first letter since it may be lower or upper case in files

api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/spnego/SpnegoAuthenticationProperties.java

support/cas-server-support-spnego/src/test/java/org/apereo/cas/support/spnego/authentication/handler/support/JcifsConfigTests.java

support/cas-server-support-spnego/src/main/java/org/apereo/cas/config/SpnegoConfiguration.java

support/cas-server-support-spnego/src/main/java/org/apereo/cas/support/spnego/authentication/handler/support/JcifsConfig.java

The first hit has the property you were asking about. You can then open that file locally or on github to see what other properties are at that level.

The next search you can perform going up the property hierarchy,

$ grep -rln SpnegoAuthenticationProperties

api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/spnego/SpnegoProperties.java

api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/spnego/SpnegoAuthenticationProperties.java

The first one has the properties field and it is a list.

The properties are in cascading classes, the top one being CasConfigurationProperties, https://github.com/apereo/cas/blob/6.4.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/CasConfigurationProperties.java

You may need to turn on debug logging to see which properties are identified as incorrect. There might be a way to tell spring to fail if a property is incorrect.

Ray

[spfma...@e.mail.fr]

Hi again,

 

After trying different combinations, it seems the directives in my previous post are correct :

2022-02-18 11:34:14,522 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <Attempting to load login config from [file:////etc/jaas.conf]>
2022-02-18 11:34:14,526 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <Located login config [file:////etc/jaas.conf] and configured it under [java.security.auth.login.config]>
2022-02-18 11:34:14,526 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <configured login configuration path : [null]>
2022-02-18 11:34:14,527 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <kerberosConf is set to :[/etc/krb5.conf]>
2022-02-18 11:34:14,527 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <kerberosDebug is set to : [true]>
2022-02-18 11:34:14,527 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <kerberosKdc is set to : [krb-master.my.domain]>
2022-02-18 11:34:14,527 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <kerberosRealm is set to :[MY_REALM]>
2022-02-18 11:34:14,527 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <useSubjectCredsOnly is set to [false]>
2022-02-18 11:34:14,528 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <jcifsNetbiosCachePolicy is set to [600]>
2022-02-18 11:34:14,528 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <jcifsServicePrincipal is set to [HTTP/ssodev.my.domain@MY_REALM]>
2022-02-18 11:34:14,528 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsConfig] - <jcifsSocketTimeout is set to [300000]>

 

Do this " <configured login configuration path : [null]>" suggests a problem ? I read the source of " cas/support/cas-server-support-spnego/src/main/java/org/apereo/cas/support/spnego/authentication/handler/support/JcifsConfig.java
" and it seems the "null" value is due to "java.security.auth.login.config" not being set, but the configuration is loaded from the path specified by "cas.authn.spnego.system.login-conf". The value is not updated so it remains null. A I right ?

 

Regards

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220218080612.9D883C0099%40smtp04.mail.de.

[Ocean Liu]

Hey Ray,

> I keep a copy of the cas project locally. I use it to search for properties, log messages and classes.

I used to do the same thing until I found github.dev , https://docs.github.com/en/codespaces/the-githubdev-web-based-editor

It is a web-based VSCode editor, it can also sync your VSCode configuration.

Whenever you are on a github.com repo, you can:

• Press . (the dot key) while browsing any repository on GitHub.
• Change the URL from "github.com" to "github.dev".

Then you will have a VSCode in your browser, you can do global search very easily, supports regex and all that stuff.

Hope this will be helpful, I love that tool.

[Ray Bon]

Oh my, Ocean Liu, you are my new best friend!

Thanks

Ray

[Ocean Liu]

Haha, glad you find it useful!

--

Ocean Liu | Enterprise Web Developer | Whitman College

WCTS Building 105F - 509.527.4973

[spfma...@e.mail.fr]

Hi,

 

Thank both of you ! I don't have a GH account right now, but I will remember it if I have one in the future.

 

Grepping is what I am doing, but it's a bit time consuming (especially when I don't know the name of the property I could be looking for) and I am regulary asked why it takes so long to install a new version and put the LDAP properties in a config  file.

Because there is nothing else to do, isn't it ? :-)

 

Regards

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJwP14ZwnKW7Gv%3DcT1cWH-i6TB0MQcf_ZrXrMXGww4jojQet9w%40mail.gmail.com.