About ticket caching and properties handing in CAS 6.2

Rakesh K M

unread,

Dec 17, 2020, 9:41:25 PM12/17/20

to cas-...@apereo.org

Hi all,

I worked on migration of CAS 3 to 6 version. I have couple questions

1. We were using JBOSS Cache based ticket caching and I can see those are depreciated in the latest version. Is there any direct alternative for this rather than using any kind of database for this? I found ehcache based caching, does that be a good alternative?

2. We are currently having all the securied properties like LDAP URLs, passwords etc. in external tomcat containers and we don't want to move into CAS properties file. Is there any way to use the existing properties from external tomcat container itself?

3. Does new CAS have any machism to update some information in LDAP?

Thank you for the support in advance.

With regards,

Rakesh

Ray Bon

unread,

Dec 18, 2020, 12:06:23 PM12/18/20

to cas-...@apereo.org

Rakesh,

1. There are a number of options for caching, https://apereo.github.io/cas/6.2.x/ticketing/Configuring-Ticketing-Components.html. Your choice will depend on what you already have (software and human), and how you configure you cas cluster. I have worked with ehcache and hazelcast. ehcache is distributed and replicated. replication takes time; you will have to determine if it is fast enough for your needs. hazelcast is not replicated (though maybe it can be configured). When a node goes down, that cache is lost; you will have to determine if that frequency is too disruptive for your users.

2. https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html for security options. We use the spring cloud server, https://apereo.github.io/cas/6.2.x/configuration/Configuration-Server-Management.html which can have encrypted secrets. I recall that someone on this list posted a way to have a local secrets store that was outside of tomcat (and/or the packaged image/container; if you are going that route). I would advise against putting secrets in tomcat (setenv.sh or some such) as tomcat will print them into the log on startup.

3. There are options for consent, https://apereo.github.io/cas/6.2.x/webflow/Webflow-Customization-AUP.html, and password management, https://apereo.github.io/cas/6.2.x/password_management/Password-Management.html. We have a separate user management system, so I have not used the above systems.

Ray

On Fri, 2020-12-18 at 08:11 +0530, Rakesh K M wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

--

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Rakesh K M

unread,

Dec 19, 2020, 4:04:10 AM12/19/20

to cas-...@apereo.org

Hi Ray,

Thank you very much. It helps.

I had the following issue. Not sure, I am following the right way. Can you please provide your guidance?

I written a custom LdapAutheticationHandler in my code base and when the authentication is success, the custom authenticator is working fine. But, if the authentication fails, the default LdapAutheticationHandler is getting executed after my custom handler. If I check the CAS source code, I found that if any exception occurred, then the next handler will be executed. Is there way to get rid of the default LdapAutheticationHandler execution?

With regards,

Sobhen

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b239421d3247d2e2e2eec0aeda74473f018b56dd.camel%40uvic.ca.

Andy Ng

unread,

Dec 22, 2020, 9:10:44 PM12/22/20

to CAS Community, getra...@gmail.com

Hi Sobhen,

Would like to know more about your setup first, see if the below correctly describe your setup:

- You setup your properties in:

https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#ldap-authentication

- You extend the LdapAutheticationHandler and make your own CustomLdapAutneticaiontHandler, using the same cas.authn.ldap[0] as your source of Authentication

- You just intend to use the CustomLdapAuthentcaionHandler, the LdapAuthentcaiontHandler is should be disabled for all service

If the above correctly describe your setup, then here's are some idea for fix (Not tested)

Fix #1, disabled LdapAutheticationHandler (Quick fix):

- Based on: https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html

- Setup requiredAuthenticationHandlers for your service, set it to only CustomLdapAutneticaiontHandler

- Then, LdapAuthentcaiontHandler would never be called for your service

- This fix would have a problem of, if user going to https://cas.server/cas/login directly and login, they still would called to LdapAuthenticationHandler and that cannot be blocked from my understanding

Fix #2, override the LdapAuthenticaitonHandlers beans, and inject your own custom authentiaction handler:

- The LdapAuthentiaciontHandler beans is here: https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-ldap/src/main/java/org/apereo/cas/config/LdapAuthenticationConfiguration.java#L179

- You can, go and override it, then set it to use your own CusomterLdapAuthenticaiionHandler at this line https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-ldap/src/main/java/org/apereo/cas/config/LdapAuthenticationConfiguration.java#L210

- That case, the default LadpAuthticationHandler willl not be used

Fix #3, use your own properties:

- Instead of using cas.authn.ldap[0], which will setup and make LdapAuthentcaiontHander available, you can actually:

- Setup your own properties, like your-org.authn.ldap[0], and setup your own properties extending this: https://github.com/apereo/cas/blob/v6.2.6/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/ldap/LdapAuthenticationProperties.java

- In your CustomerLdapAutneticainotHandler, make sure the properties is point to your own properties

While all of them should works, if I would to setup something like this I would go for Fix #3.

See if this would be helpful to you,

Cheers.

- Andy

Rakesh K M

unread,

Dec 25, 2020, 5:46:00 PM12/25/20

to Andy Ng, CAS Community

Thanks a lot Andy. We followed the 3rd option and able to make it work. :)

I do have couple of questions, as we didn't any solution for these. Please provide some lights on these.

1. Is there anyway to get the ldap url from Catelina.properite file for an external tomcat server? As the environment specified configuration are available in that property file.

2. We are getting okhttp jar related error whole deploying the application. Feel like conflict is happening. We are using CAS 6.2.2 and it is not happening in local and dev environment.

Thank you in advance.

Andy Ng

unread,

Dec 25, 2020, 8:21:35 PM12/25/20

to CAS Community, getra...@gmail.com, CAS Community, Andy Ng

Hi Sobhen,

1. Not sure what you mean, maybe this page can help you?
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Server-Management.html

2. I never saw.that error before, sorry won't be able to give any insight.

BTW, since you are asking different questions, you might get better luck posting a new post in this group, instead of keep posting in this post.