CAS DB Authentication “encode” password encryption can't match with database password encrypted using Spring Security's MD5

Alvaro S.

unread,

Feb 6, 2017, 6:54:13 AM2/6/17

to CAS Community

I am currently configuring my CAS Server v5.0.2 to use Database Authentication, particularly using the Encode method, using the CAS properties file. Below are the relevant property configurations from the properties file:

cas.server.name: https://cas.example.org:8443
cas.server.prefix: https://cas.example.org:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services

cas.authn.accept.users=

cas.authn.jdbc.query[0].sql=SELECT password FROM UserSocial WHERE email=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM UserSocial
# cas.authn.jdbc.query[0].isolateInternalQueries=false
cas.authn.jdbc.query[0].url=jdbc:mysql://*************.amazonaws.com:3306/feisbuk
# cas.authn.jdbc.query[0].failFast=true
# cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
# cas.authn.jdbc.query[0].leakThreshold=10
# cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
# cas.authn.jdbc.query[0].batchSize=1
cas.authn.jdbc.query[0].user=*********
# cas.authn.jdbc.query[0].ddlAuto=create-drop
# cas.authn.jdbc.query[0].maxAgeDays=180
cas.authn.jdbc.query[0].password=****
# cas.authn.jdbc.query[0].autocommit=false
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
# cas.authn.jdbc.query[0].idleTimeout=5000
# cas.authn.jdbc.query[0].credentialCriteria=

cas.authn.jdbc.query[0].passwordEncoder.type=NONE
cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
cas.authn.jdbc.query[0].passwordEncoder.secret=lothlorien
#cas.authn.jdbc.query[0].passwordEncoder.strength=16

# cas.authn.jdbc.query[0].principalTransformation.suffix=
cas.authn.jdbc.query[0].principalTransformation.caseConversion=NONE
# cas.authn.jdbc.query[0].principalTransformation.prefix=

The database I am connecting with is a MySQL. The passwords were previously encoded using Spring Security's MD5 and a salt-source. I have tested the CAS DB Authentication configuration by entering valid credentials in the CAS Server's default login page, but authentication always fail and return "Invalid credentials." Additionally, It throws me this error

Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [alvaro...@evoluciona.com] of type [UsernamePasswordCredential], which suggests a configuration problem

This is part of spring security config:

<authentication-manager>

<authentication-provider user-service-ref="usersCrmProvider" />

<authentication-provider user-service-ref="userDetailsService">

<password-encoder hash="md5">

<salt-source system-wide="lothlorien" />

</password-encoder>

</authentication-provider>

</authentication-manager>

Right now I am looking for any approach on resolving this issue. I am still relatively new to CAS, and I really appreciate the much needed help. Thanks!

Menno en Erla Avegaart

unread,

Feb 6, 2017, 7:51:58 AM2/6/17

to CAS Community

That should be:

cas.authn.jdbc.query[0].passwordEncoder.type=STANDARD

Op maandag 6 februari 2017 12:54:13 UTC+1 schreef Alvaro S.:

Alvaro S.

unread,

Feb 6, 2017, 11:10:44 AM2/6/17

to CAS Community

Ok, I'm pretty sure what is the error but I don't know how to solve it.

We are using md5 with salt this way

md5(password+salt)

How can I tell CAS that the salt is before the password?

Thanks

Menno en Erla Avegaart

unread,

Feb 6, 2017, 11:42:21 AM2/6/17

to CAS Community

Unfortunately, CAS doesn't support the deprecated Spring Security password encoders by default.

The cleanest method would be to construct a jdbcAuthenticationHandlers bean in deployerConfigContext.xml/.groovy with your own password encoder.

IMHO, a far easier method however would be to replace StandardPasswordEncoder with your own implementation that delegates to ShaPasswordEncoder.

Op maandag 6 februari 2017 17:10:44 UTC+1 schreef Alvaro S.:

Menno en Erla Avegaart

unread,

Feb 6, 2017, 11:47:40 AM2/6/17

to CAS Community

Sorry, I meant Md5PasswordEncoder instead of ShaPasswordEncoder.

Op maandag 6 februari 2017 17:42:21 UTC+1 schreef Menno en Erla Avegaart:

Alvaro

unread,

Feb 6, 2017, 1:01:12 PM2/6/17

to cas-...@apereo.org

Sorry, I misscopied the properties.

Already tried with NONE, DEFAULT, STANDARD and BCRYPT, but no one worked

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/INApPeumVug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/56545e27-23f6-4a05-9956-c5eab49b480a%40apereo.org.

Alvaro

unread,

Feb 6, 2017, 1:01:12 PM2/6/17

to cas-...@apereo.org

Thanks. I'll look that

--

- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/INApPeumVug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ea7eae5-a4f7-437e-bbaf-28b41b40d554%40apereo.org.

Alvaro

unread,

Feb 7, 2017, 2:24:39 PM2/7/17

to cas-...@apereo.org

Now I'm trying to enable OAuth2 in my server, so I just added the dependencies as the manual states, but I'm getting the following error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'oauthConfiguration': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: 'clientIpAddress' cannot be null.

I followed this tutorial

https://apereo.github.io/cas/5.0.x/installation/OAuth-OpenId-Authentication.html

And second question is: Where I have to add the OAuth Clients? (That json-like text) in the middle of the tutorial.

Thanks

To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

Menno en Erla Avegaart

unread,

Feb 9, 2017, 10:38:00 AM2/9/17

to CAS Community

That JSON data is an example of a service registry entry (see https://apereo.github.io/cas/5.0.x/installation/JSON-Service-Management.html).

Op dinsdag 7 februari 2017 20:24:39 UTC+1 schreef Alvaro S.:

Reply all

Reply to author

Forward