Unable to Retrieve CAS User Attributes (CAS 5.3.x)

[Fahmi L. Ramdhani]

Hi, 

I'am unable to retrieves CAS User Attributes using mod_auth_cas. Below is my configuration:

100-domain.com.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName domain.com
        ServerAlias www.domain.com
        ServerAdmin ad...@domain.com


        DocumentRoot /home/user/www/sites/domain.com
        <Directory "/home/user/www/sites/domain.com">
                <IfModule mod_auth_cas.c>
                        CASAuthNHeader On
                        AuthType CAS
                </IfModule>


                # Options Indexes FollowSymLinks
                # AllowOverride All
                # Require all granted
                Require valid-user
        </Directory>


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


        SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem


        Include /etc/letsencrypt/options-ssl-apache.conf


        <IfModule mod_auth_cas.c>
        CASLoginUrl           https://login.domain.com/cas/login
        CASValidateUrl        https://login.domain.com/cas/serviceValidate
        CASValidateServer     off
        CASCookiePath         /var/cache/apache2/mod_auth_cas/
        CASSSOEnabled         On
        CASDebug              Off
        </IfModule>


</VirtualHost>

And this is my cas.properties:

## ATTRIBUTES
cas.authn.attributeRepository.jdbc[0].sql = SELECT * FROM user_attributes WHERE {0}
cas.authn.attributeRepository.jdbc[0].healthQuery = SELECT 1
cas.authn.attributeRepository.jdbc[0].driverClass = com.mysql.jdbc.Driver
cas.authn.attributeRepository.jdbc[0].url = jdbc:mysql://localhost:3306/cas
cas.authn.attributeRepository.jdbc[0].user = root
cas.authn.attributeRepository.jdbc[0].password = xxxxxxx
cas.authn.attributeRepository.jdbc[0].dialect = org.hibernate.dialect.MySQLDialect
cas.authn.attributeRepository.jdbc[0].singleRow = false
cas.authn.attributeRepository.jdbc[0].username = email
cas.authn.attributeRepository.jdbc[0].columnMappings.key = value

cas.authn.attributeRepository.defaultAttributesToRelease=first_name,last_name,company_name

Loging has successfuly but HTML output is:

Secured Content

This is some secure content. You should not be able to see it until you have entered your username and password.

Attributes Returned by CAS

REMOTE_USER = us...@domain.com
HostConnectionCache-ControlUpgrade-Insecure-RequestsUser-AgentAcceptRefererAccept-EncodingAccept-LanguageCookieOn

Attributes not showing. Does anyone have a solution to this problem? Thanks.

[David Curry]

You should be using the samlValidate endpoint, not the serviceValidate endpoint in the CASValidateUrl. See the mod_auth_cas documentation.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3b5da87-1254-4155-998c-ad86eeee8cca%40apereo.org.

[Fahmi L. Ramdhani]

I use the mysql database. The point is that the attributes in the database are displayed. Or do I have to use SAML?

[David Hawes]

On 1 October 2018 at 15:18, Fahmi L. Ramdhani

This directive was removed in 2014. You should use a newer version of
mod_auth_cas.

When you've upgraded, set "LogLevel debug" and "CASDebug On" to see
your validation response in the logs. Are there attributes there?

[Fahmi L. Ramdhani]

Thanks dhawes,

I have a little trouble about this, even though it should be able to. I configure it according to the documentation about attributes. Below are logs from mod_auth_cas:

[Tue Oct 02 05:03:25.025216 2018] [:debug] [pid 21981] mod_auth_cas.c(1753): [client 32.254.11.127:65177] Entering cas_authenticate(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025224 2018] [:debug] [pid 21981] mod_auth_cas.c(1473): [client 32.254.11.127:65177] entering isValidCASCookie(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025229 2018] [:debug] [pid 21981] mod_auth_cas.c(791): [client 32.254.11.127:65177] entering readCASCacheFile(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025328 2018] [:debug] [pid 21981] mod_auth_cas.c(1044): [client 32.254.11.127:65177] entering writeCASCacheEntry(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025484 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025493 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025555 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025563 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025590 2018] [:debug] [pid 21981] mod_auth_cas.c(1753): [client 32.254.11.127:65177] Entering cas_authenticate(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025597 2018] [:debug] [pid 21981] mod_auth_cas.c(1852): [client 32.254.11.127:65177] recycling user 'us...@domain.com' from initial request for sub request, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025603 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025607 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025646 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025653 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025658 2018] [:debug] [pid 21981] mod_auth_cas.c(1753): [client 32.254.11.127:65177] Entering cas_authenticate(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025663 2018] [:debug] [pid 21981] mod_auth_cas.c(1852): [client 32.254.11.127:65177] recycling user 'us...@domain.com' from initial request for sub request, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025668 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025673 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025700 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025706 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025711 2018] [:debug] [pid 21981] mod_auth_cas.c(1753): [client 32.254.11.127:65177] Entering cas_authenticate(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025717 2018] [:debug] [pid 21981] mod_auth_cas.c(1852): [client 32.254.11.127:65177] recycling user 'us...@domain.com' from initial request for sub request, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025722 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025746 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025770 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025777 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025782 2018] [:debug] [pid 21981] mod_auth_cas.c(1753): [client 32.254.11.127:65177] Entering cas_authenticate(), referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025787 2018] [:debug] [pid 21981] mod_auth_cas.c(1852): [client 32.254.11.127:65177] recycling user 'us...@domain.com' from initial request for sub request, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025792 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of Require valid-user : granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f
[Tue Oct 02 05:03:25.025797 2018] [authz_core:debug] [pid 21981] mod_authz_core.c(809): [client 32.254.11.127:65177] AH01626: authorization result of <RequireAny>: granted, referer: https://login.domain.com/cas/login?service=https%3a%2f%2fdomain.com%2f%2f

Maybe I don't understand some documentation yet.. Please give me a solution about this problem. Thank you.

[Ray Bon]

Fahmi,

Put this in your CAS server log file to be sure that the attributes are being released:

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[David Hawes]

On 2 October 2018 at 01:16, Fahmi L. Ramdhani

<fahmilesti...@gmail.com> wrote:
> Thanks dhawes,
> I have a little trouble about this, even though it should be able to. I
> configure it according to the documentation about attributes. Below are logs
> from mod_auth_cas:

The log excerpt looks like it was after validation. There should be more logs.

Have you upgraded your mod_auth_cas? The line numbers in your logs
indicate that you haven't.

If you are using an old version and the serviceValidate endpoint, you
will not get CASv2 attributes. As David noted earlier, you will need
to use the samlValidate endpoint.

CASv2 attribute support is available in mod_auth_cas git master.

[Fahmi L. Ramdhani]

Hi,

Continued with attribute problems.

cas.properties

cas.authn.attributeRepository.jdbc[0].sql = SELECT * FROM user_attributes WHERE {$

cas.authn.attributeRepository.jdbc[0].healthQuery = SELECT 1

cas.authn.attributeRepository.jdbc[0].driverClass = com.mysql.jdbc.Driver

cas.authn.attributeRepository.jdbc[0].url = jdbc:mysql://localhost:3306/cas?useUn$

cas.authn.attributeRepository.jdbc[0].user = root

cas.authn.attributeRepository.jdbc[0].password = Taraibak24

cas.authn.attributeRepository.jdbc[0].dialect = org.hibernate.dialect.MySQLDialect

cas.authn.attributeRepository.jdbc[0].singleRow = false

cas.authn.attributeRepository.jdbc[0].username = email
cas.authn.attributeRepository.jdbc[0].columnMappings.key = value

cas.authn.attributeRepository.attributes.firstname = firstname
cas.authn.attributeRepository.defaultAttributesToRelease = firstname

Error Log:

Error creating bean with name 'casBeanValidationPostProcessor' defined in class path resource [org/apereo/cas/config/CasCoreUtilConfiguration.class]: BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration': Unsatisfied dependency expressed through method 'setConfigurers' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casCoreTicketsConfiguration': Unsatisfied dependency expressed through field 'casProperties'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not bind properties to CasConfigurationProperties (prefix=cas, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'authn.attributeRepository.attributes[firstname]' of bean class [org.apereo.cas.configuration.model.core.authentication.AuthenticationProperties]: Cannot access indexed value in property referenced in indexed property path 'attributes[firstname]'; nested exception is org.springframework.beans.NotReadablePropertyException: Invalid property 'authn.attributeRepository.attributes[firstname]' of bean class [org.apereo.cas.configuration.model.core.authentication.AuthenticationProperties]: Bean property 'authn.attributeRepository.attributes[firstname]' is not readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?>
2018-10-12 04:07:36,527 ERROR [org.springframework.boot.SpringApplication] - <Application startup failed>

I followed the guide from https://apereo.github.io/2017/02/22/cas51-dbauthn-tutorial/ but it didn't work. Error as above. Please give me solution. Thank you.

[Fahmi L. Ramdhani]

my cas.properties:

## Database Authentication
## ================================================================
cas.authn.accept.users=


cas.authn.jdbc.query[0].sql = SELECT * FROM users WHERE email=?
cas.authn.jdbc.query[0].healthQuery = SELECT 1
cas.authn.jdbc.query[0].driverClass = com.mysql.jdbc.Driver
cas.authn.jdbc.query[0].url = jdbc:mysql://localhost:3306/casdb?useUnicode=true&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
cas.authn.jdbc.query[0].user = root
cas.authn.jdbc.query[0].password = ******
cas.authn.jdbc.query[0].dialect = org.hibernate.dialect.MySQLDialect
cas.authn.jdbc.query[0].fieldPassword = password
cas.authn.jdbc.query[0].passwordEncoder.type = DEFAULT
cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm = MD5
cas.authn.jdbc.query[0].passwordEncoder.characterEncoding = UTF-8

cas.authn.attributeRepository.jdbc[0].sql = SELECT * FROM user_attributes WHERE {0}
cas.authn.attributeRepository.jdbc[0].healthQuery = SELECT 1
cas.authn.attributeRepository.jdbc[0].driverClass = com.mysql.jdbc.Driver

cas.authn.attributeRepository.jdbc[0].url = jdbc:mysql://localhost:3306/casdb?useUnicode=true&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
cas.authn.attributeRepository.jdbc[0].user = root
cas.authn.attributeRepository.jdbc[0].password = ******

cas.authn.attributeRepository.jdbc[0].dialect = org.hibernate.dialect.MySQLDialect
cas.authn.attributeRepository.jdbc[0].singleRow = false
cas.authn.attributeRepository.jdbc[0].username = email
cas.authn.attributeRepository.jdbc[0].columnMappings.key=

value


cas.authn.attributeRepository.jdbc[0].attributes.firstname=firstname
cas.authn.attributeRepository.defaultAttributesToRelease=firstname

my pom.xml

 

<!--
...Additional dependencies may be placed here...
-->
<dependency>
 <groupId>org.apereo.cas</groupId>
 <artifactId>cas-server-support-json-service-registry</artifactId>
 <version>${cas.version}</version>
</dependency>
<dependency>
 <groupId>org.apereo.cas</groupId>
 <artifactId>cas-server-support-jdbc</artifactId>
 <version>${cas.version}</version>
</dependency>
<dependency>
   <groupId>org.apereo.cas</groupId>
   <artifactId>cas-server-support-jdbc-drivers</artifactId>
   <version>${cas.version}</version>
</dependency>

When use Laravel with phpCAS

@foreach(cas()->getAttributes() as $attribute)
 {{ $attribute }}<br>
@endforeach

HTML Result is:

UsernamePasswordCredential
false
2018-10-12T11:32:35.265+07:00[Asia/Jakarta]
QueryDatabaseAuthenticationHandler
QueryDatabaseAuthenticationHandler
false

Based on the configuration above, the attribute does not display data.

[Tepe, Dirk]

I don't use the jdbc attribute resolver, but the concept is similar to others. What is your user table schema? You are doing a 'select *', rather than explicitly listing the columns. Is there a column named firstname? You are expecting to map a retrieved attribute named 'firstname' to a principal attribute named firstname, but that will only work if the the database has columns named exactly as you expect. That could be the source of errors such as this in your log:

Cannot access indexed value in property referenced in indexed property path 'attributes[firstname]'

-dirk

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/23a9e25d-849f-4881-b0ca-7cb068743c15%40apereo.org.