Service Registry -- Getting the 1st Application Entered

[Jann Malenkoff]

Hi All:

I'm trying to get the 'http://localhost:8080/cas-management/manage.html' loaded up --- but hitting the error message:
'

Application Not Authorized to Use CAS

The services registry of CAS is empty and has no service definitions. Applications that wish to authenticate with CAS must explicitly be defined in the services registry.'

I am hoping to have a JPA service registry --- and have configured the dependencies below in the 'cas-overlay-template' pom.xml.

To enable the access to 'http://localhost:8080/cas-management/manage.html, I have added  the JASON entry as below --- but do not see it in the database table REGEXREGISTEREDSERVICE (I have cas.serviceRegistry.config.location:    file:/etc/cas/services in 'cas.properties).

What could I have missed (or more likely misunderstood)?

JSON File in /etc/cas/services (copied -- slightly adjusted -- from an earlier post):

{
  /*
   * Wildcard service definition that applies to any https or imaps url.
   * Do not use this definition in a production environment.
   */
  "@class" :            "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" :         "^(http)://.*",
  "name" :              "HTTP wildcard",
  "id" :                20180514,
  "evaluationOrder" :   99999
}

pom.xml -- for cas-overlay-template

<dependencies>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-webapp${app.server}</artifactId>
                    <version>${cas.version}</version>
                    <type>war</type>
                    <scope>runtime</scope>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-json-service-registry</artifactId>
                    <version>${cas.version}</version>
                    </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-ldap</artifactId>
                    <version>${cas.version}</version>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-jpa-service-registry</artifactId>
                    <version>${cas.version}</version>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-jpa-ticket-registry</artifactId>
                    <version>${cas.version}</version>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-jdbc-drivers</artifactId>
                    <version>${cas.version}</version>
                    </dependency>
                <dependency>
                    <groupId>com.oracle</groupId>
                    <artifactId>ojdbc7.jar</artifactId>
                    <version>12.1.0.1</version>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-saml</artifactId>
                    <version>${cas.version}</version>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-duo</artifactId>
                    <version>${cas.version}</version>
                </dependency>
                <dependency>
                    <groupId>org.apereo.cas</groupId>
                    <artifactId>cas-server-support-events-jpa</artifactId>
                    <version>${cas.version}</version>
                </dependency>
</dependencies>

[Richard Frovarp]

Do you have initialization on from JSON? Not sure if it will use your file or just the defaults. Either way, it should get you into the manager. Then you configure the manager service, and turn that property off.

# Auto-initialize the registry from default JSON service definitions
# cas.serviceRegistry.initFromJson=false

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/daad2fc6-3a69-4404-9a91-379cfd3ee24e%40apereo.org.

[Jann Malenkoff]

Hi Richard:

I have the following in 'cas.properties':

cas.serviceRegistry.initFromJson=true

Is that correct to enable the first read from JSON? I have been staring at the screen for so long and begining to doubt myself w.r.t true/false flags.

[Jann Malenkoff]

FYI --- the following appears in 'catalina.out' when attempting to access 'http://localhost:8080/cas-management/manage.html,'.

2018-05-14 15:39:09,152 WARN [org.apereo.cas.services.web.ServiceThemeResolver] - <No registered service is found to match [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@13eed7a6[id=http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] or service access is disallowed. Using default theme [cas-theme-default]>

[Richard Frovarp]

Yes, you would want to flip that to true. There should be something in the logs. I don't remember which component actually does the work to do the initial import, if it is the server or the manager. I do seem to recall one of them logging something about importing it.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1dfe783-d3b4-413d-ac25-0b7e7a722247%40apereo.org.

[Man H]

where are these pointing to:

cas.serviceRegistry.json.location for 5.2.x
or
cas.serviceRegistry.config.location for 5.1.x

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1dfe783-d3b4-413d-ac25-0b7e7a722247%40apereo.org.

[Jann Malenkoff]

I'm on 5.2.4 --- I had earlier the 5.1 (i.e. cas.serviceRegistry.config.location) in 'cas.properties'--- now, updated to below (the 5.2.x version)

cas.serviceRegistry.json.location:file:/etc/cas/service
cas.serviceRegistry.initFromJson=true

Still getting error below:

2018-05-14 16:11:41,016 WARN [org.apereo.cas.services.web.ServiceThemeResolver] - <No registered service is found to match [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@3f670479[id=http://localhost:8080/cas-management/manage.html,originalUrl=http://locahost:8080/cas-management/manage.html,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] or service access is disallowed. Using default theme [cas-theme-default]>

Json file:

{

  "@class" :            "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" :         "^(http)://.*",
  "name" :              "HTTP wildcard",

  "id" :                20170905111650,
  "evaluationOrder" :   99999
}

Have I missed anything else? Could there be something else in the logs that can give a clue (I have been hunting but may be missing it)?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1dfe783-d3b4-413d-ac25-0b7e7a722247%40apereo.org.

[Jann Malenkoff]

I had a minor Eureka moment --- but it came to fraught (partially).

I has a typo in the 'cas.properties' file: cas.serviceRegistry.json.location:file:/etc/cas/service

i,e, 'service' instead of 'services' --- corrected now (validated that the json files are in '/etc/cas/services').

But still no-go.......any ideas will be matched by the maximum Karma I can provide.

[Jann Malenkoff]

Attached is my 'cas.properties' file ---  in case I may be missing something there (very likely)

[Lionel Samuel]

I'm working with Jann -- attached is our pom file (we call the jar my-cas -- which is reflected in the URLs).

It does not look like the JSON file is loaded -- I don't think it's pom related --- but at the moment we are both stumped so anything goes.

2018-05-14 20:23:17,715 WARN [org.apereo.cas.services.web.ServiceThemeResolver] - <No registered service is found to match [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf[id=http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] or service access is disallowed. Using default theme [cas-theme-default]>

[Lionel Samuel]

Changing in "cas.properties"  'cas.serviceRegistry.json.location:file:/etc/cas/services' to 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'

The above does not generate an error message --- is that a sign it's not loaded?

[King, Robert]

Does the tomcat service have proper read rights to the json files and/or the /etc/cas/services/ directories?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/26e98f48-018c-4f19-80cc-bcdb529c13b7%40apereo.org.

[David Curry]

Lionel and Jann,

Did you ever have the JSON service registry working? If not, I recommend that you take all the JPA stuff out of pom.xml and cas.properties and get that working correctly first, so that you're only trying to debug one thing at a time. Once you have the JSON service registry working correctly, for both the main server and the management webapp, then it's time to move things to JPA.

The basic steps for moving to JPA *should* be this:

1. REMOVE the "cas-server-support-json-service-registry" dependency from pom.xml (server and management webapp)

2. Add the "cas-server-support-jpa-service-registry" dependency and whatever other dependencies go with it to pom.xml (server and management webapp)

3. Rebuild the server and management webapp

4. In the server's cas.properties file, include BOTH of these lines:

cas.serviceRegistry.json.location:     file:/etc/cas/services

cas.serviceRegistry.initFromJson:      true

The first line should already be there (since before you start these steps you're using the JSON service registry), but you must add the second line.

5. Add all the lines you need to configure the JPA service registry to the server's cas.properties file.

6. Start the CAS server (do not start the management webapp). You should see it load the services from the JSON files (again, this should already be working before you start) and then it will magically save them into the JPA registry.

7. Shut the server down.

8. Check the database to see that the services actually got loaded there. If not, this is where you need to start debugging. And the first step of that would be setting the log level to "debug" in log4j2.xml, and adding whatever Logger configuration you need to make the Oracle JDBC library log for you as well.

Once you've got the services loaded into the database....

9. Remove the "cas.serviceRegistry.json.location" and "cas.serviceRegistry.initFromJson" properties from the server's cas.properties file.

10. Remove the "cas.serviceRegistry.json.location" property from, and add all the JPA properties to, the management webapp's management.properties file.

At least, that's the procedure I followed to get the MongoDB service registry working (see https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html). I've not used the JPA stuff at all, so no guarantees, but I don't see why it should be any different.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9789e0c-c236-4089-a30d-d1da6d95e3ce%40apereo.org.

[Jann Malenkoff]

Hi David:

You Sir --- are a gentleman and a scholar.

Very much appreciated from both of us.

Working exactly as you have outlined.

Please accept out utmost gratitude.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9789e0c-c236-4089-a30d-d1da6d95e3ce%40apereo.org.

[党田力]

I had test on 5.2.6 adn 5.2.7 version

Only append `cas-server-support-json-service-registry` to pom.xml, the 'cas.serviceRegistry.initFromJson=true' is worked.

Only append `cas-server-support-jpa-service-registry` to pom.xml, the database is worked.

But I append both them, the services defined in json is not loaded.

On 5.1.9 version works.

在 2018年5月15日星期二 UTC+8下午8:15:55，David Curry写道：

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9789e0c-c236-4089-a30d-d1da6d95e3ce%40apereo.org.

[党田力]

I debug the JsonServiceRegistryConfiguration, the class is not loaded.

Then I change the version of spring from 1.5.12 to 1.5.15, nothing changes.

在 2018年8月31日星期五 UTC+8下午7:05:02，党田力写道：

[Francois Campbell]

Hi.

I believe only one of the two should be in the pom.xml file at a time.

----

Regards
Francois Campbell

Teaching and Learning Product Lead

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b880fd4-3047-4c6a-b8da-7307d31a4946%40apereo.org.

---

See OpenCollab email disclaimer at http://www.opencollab.co.za/email-disclaimer

[abdellhak tlili]

Hi All , 

i'm trying to configure CAS 5.1.9 with LDAP authentication  , i have add ldap support dependency in pom.xml  also i have add ldap configuration into cas.properites , and when i try to connect LDAP i have this 2  messages in cas.log 

cas.properites:

 cas.authn.ldap[0].principalAttributeList=sn,cn:admin

 cas.authn.ldap[0].collectDnAttribute=false

 cas.authn.ldap[0].principalDnAttributeName=dc=XXX,dc=com

 cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

 cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true

 cas.authn.ldap[0].credentialCriteria=

 cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

#========================================

# Authentication

#========================================

cas.authn.accept.users=

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldap:ldap://localhost:10389/dc=XXX,dc=com

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].baseDn=ou=Users,dc=XXX,dc=com

cas.authn.ldap[0].userFilter=uid={user}

cas.authn.ldap[0].bindCredential=userPassword

cas.log

1- /***************************/

N [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [admin@******.com] of type [UsernamePasswordCredential], which suggests a configuration problem.>

2018-08-31 14:51:28,279 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

/**************************/

2-/**************************/ 

2018-08-31 14:51:28,285 ERROR [org.apereo.cas.web.flow.AuthenticationExceptionHandlerAction] - <Unable to translate handler errors of the authentication exception [org.apereo.cas.authentication.AuthenticationException: 0 errors, 0 successes]Returning [UNKNOWN]>
/***************************/

pleas HELP HELP 

[Francois Campbell]

Not sure if it just a typo, but your example repeats ldap protocol twice.

cas.authn.ldap[0].ldapUrl=ldap:ldap://localhost:10389/dc=XXX,dc=com

You may also require cas.authn.ldap[0].bindDn

e.g. 

cas.authn.ldap[0].bindDn: CN=ADMIN_USERNAME,cn=Users,dc=XXX,dc=com

----

Regards
Francois Campbell

Teaching and Learning Product Lead

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8baed680-b5ec-405a-8f13-b2b3054e7a88%40apereo.org.

[abdellhak tlili]

that not solve the problem !!

[Francois Campbell]

can you set your LDAP logger to debug level

in /etc/cas/config/log4j2.xml +- line 93

e.g. <AsyncLogger name="org.ldaptive" level="debug" />

Restart and test, you should see a great deal more information.

----

Regards
Francois Campbell

Teaching and Learning Product Lead

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/03043b14-30da-4677-8d46-309e26a02140%40apereo.org.

[党田力]

But 5.1.9 works.

Why?

在 2018年8月31日星期五 UTC+8下午9:46:17，Francois Campbell写道：

[abdellhak tlili]

please can you share with me your LDAP configuration , exactly the modification of the file  "cas.properties" modification ,

have you modfied  some classes  in the overlay.?

 thanks alot

[abdellhak tlili]

please can you share with me your LDAP configuration , exactly the modification of the file  "cas.properties" modification ,

have you modfied  some classes  in the overlay.?

 thanks alot

Le lundi 3 septembre 2018 03:21:33 UTC+2, 党田力 a écrit :

[Va Sja]

What about 5.3.x? :-D

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[Va Sja]

Hmm...
..looks really like "Security through obscurity" :((

Guys - how many peoples use CAS worldwide? 

looks like nobody?

SRC: https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp

[Ray Bon]

Va,

'usage' in mvnrepository means how many projects have a dependency on that project, not number of downloads.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca