jasig-cas IRC Logs-2011-10-26

[09:12:32 CDT(-0500)] <foxnesn> could someone explain to me how the service paramter works in org.jasig.cas.client.authentication.AuthenticationFilter ?

[09:13:11 CDT(-0500)] <foxnesn> it doesnt seem to matter what i put in there it always works fine

[09:13:44 CDT(-0500)] <foxnesn> well i should say it always authenticates and sends the user to the service they requested

[09:13:58 CDT(-0500)] <foxnesn> even if i just enter a bunk URL

[09:16:32 CDT(-0500)] <foxnesn> could it be that it is because the application is already casified?

[09:19:31 CDT(-0500)] <EricDalquist> fyi we put together a full workflow document for uPortal & git, not sure if CAS has something similar but this is the approach we're recommending to our developers: https://wiki.jasig.org/display/UPC/Git+Workflow

[09:42:36 CDT(-0500)] <foxnesn> hrm, in web.xml i have changed the service url from https://client.example.com to https://pwm.example.com:8443/pwm/private/CommandServlet?processAction=checkAll&amp;forwardlURL=https://client.example.com

[09:43:06 CDT(-0500)] <foxnesn> but CAS still sends me back to https://client.example.com ...

[10:02:02 CDT(-0500)] <foxnesn> hey wgthom do you know anything about login-webflow?

[10:02:21 CDT(-0500)] <atilling> I know some about login-webflow

[10:02:58 CDT(-0500)] <foxnesn> after CAS authenticates a user i would like it to send the user always to a specific site with an interrupt

[10:03:08 CDT(-0500)] <foxnesn> this if for password self service

[10:03:58 CDT(-0500)] <foxnesn> say a user wants to get into https://moodle.example.com they first get directed to CAS login

[10:04:13 CDT(-0500)] <foxnesn> after succesful authentication CAS sends them back to https://moodle.example.com

[10:04:58 CDT(-0500)] <foxnesn> i would instead rather have CAS send them to https://password.example.com:8443/pwm/private..yaddayaddaforwardURL=https://moodle.example.com

[10:05:20 CDT(-0500)] <atilling> Always or only under certain conditions?

[10:05:27 CDT(-0500)] <foxnesn> always

[10:05:37 CDT(-0500)] <foxnesn> because the passwrod self service runs a checkall

[10:05:46 CDT(-0500)] <foxnesn> and ONLY interrupts if conditions arent met there

[10:06:01 CDT(-0500)] <foxnesn> so this has to happen with all 4 clients

[10:06:08 CDT(-0500)] <atilling> ok, then you don't need to change loginWebflow

[10:06:17 CDT(-0500)] <atilling> You want to change the redirect page

[10:06:38 CDT(-0500)] <foxnesn> redirect isnt in loginWebflow?

[10:06:43 CDT(-0500)] <atilling> You'd only need to change webflow if some logic was being down CAS side

[10:06:56 CDT(-0500)] <atilling> you want to change the jsp view page

[10:07:25 CDT(-0500)] <atilling> Leave webflow sending the user to the jsp page, just modify the jsp page

[10:08:55 CDT(-0500)] <foxnesn> hrm, when i did some research on redirect the other day i couldnt find where the actual jsp for it was now stored

[10:09:04 CDT(-0500)] <foxnesn> i guess at one time it was called something different

[10:09:14 CDT(-0500)] <atilling> well there are two places

[10:09:57 CDT(-0500)] <atilling> there is a post response view

[10:10:03 CDT(-0500)] <atilling> that's a jsp page

[10:10:27 CDT(-0500)] <atilling> but reviewing it you would need to make a webFlow change too

[10:11:00 CDT(-0500)] <atilling> for redirects that aren't a post reponse type

[10:12:39 CDT(-0500)] <atilling> the jsp is in /WEB-INF/view/jsp/protocol/casPostResponseView.jsp

[10:12:40 CDT(-0500)] <foxnesn> hrm, so i will have to make a webflow change then AND edit a jsp?

[10:13:16 CDT(-0500)]

<atilling> in webflow there is a line: <end-state id="redirectView" view="externalRedirect:$

Unknown macro: {requestScope.response.url}

" />

[10:14:02 CDT(-0500)] <foxnesn> yup

[10:14:10 CDT(-0500)] <foxnesn> ive been messing with that one a bit

[10:14:19 CDT(-0500)]

<atilling> that would end up as <end-state id="redirectView" view="externalRedirect:https://password.example.com:8443/pwm/private..yaddayaddaforwardURL=$

Unknown macro: {requestScope.response.url}

" />

[10:14:49 CDT(-0500)] <foxnesn> ok well i have that much, i have not edited the jsp tho

[10:14:55 CDT(-0500)] <foxnesn> so i was on the right track

[10:14:57 CDT(-0500)] <atilling> but I believe the jsp page is what your users will hit most often

[10:15:20 CDT(-0500)] <foxnesn> how do you mean?

[10:17:27 CDT(-0500)] <atilling> if they are logging in the they go to the post response page in the flow

[10:17:40 CDT(-0500)] <atilling> if they are already logged in they go through the redirect

[10:17:54 CDT(-0500)] <foxnesn> ahhh

[10:18:18 CDT(-0500)] <foxnesn> what if i only need this to happen on first login?

[10:19:46 CDT(-0500)] <atilling> then I believe you only need to update the jsp page

[10:20:12 CDT(-0500)] <atilling> we've built all of this logic into our CAS

[10:20:50 CDT(-0500)] <foxnesn> ok i didnt edit the jsp but i did change the view and when i go to cas i see the CAS is unavailable view

[10:20:59 CDT(-0500)] <atilling> Our CAS checks for expired passwords and forces password change within CAS and doesn't send the user to an external serivce at all

[10:21:01 CDT(-0500)] <foxnesn> There was an error trying to complete your request. Please notify your support desk or try again

[10:21:27 CDT(-0500)] <atilling> sounds like you have a syntax error in your loginWebFlow now, check your catalina.out log

[10:21:47 CDT(-0500)] <foxnesn> strange because CAS is started

[10:23:03 CDT(-0500)] <atilling> right if you have a syntax error in webflow cas will start but it will fail when anyone attempts to login

[10:23:18 CDT(-0500)] <atilling> webflow isn't checked during start up, just login

[10:24:28 CDT(-0500)] <foxnesn> no errors

[10:24:49 CDT(-0500)] <foxnesn> catalina looks good

[10:25:47 CDT(-0500)] <foxnesn> yea know what is strange? if i manually enter that big long checkall string into my browser it interrupts properly

[10:25:52 CDT(-0500)] <foxnesn> i simply cannot automate it tho

[10:26:03 CDT(-0500)] <atilling> ok then check localhost.2011.10.26.log

[10:26:47 CDT(-0500)] <foxnesn> org.xml.sax.SAXParseException: The reference to entity "forwardURL" must end with the ';' delimiter.

[10:27:40 CDT(-0500)] <foxnesn> weird

[10:27:47 CDT(-0500)] <foxnesn> wouldn't that break what im trying to do?

[10:28:14 CDT(-0500)] <foxnesn> perhaps a syntax restriction built into CAS or spring?

[10:29:33 CDT(-0500)] <atilling> it would appear forwardUrl is a reserved word

[10:29:46 CDT(-0500)] <foxnesn> doh

[10:31:04 CDT(-0500)] <foxnesn> even if it is in quotes?

[10:31:11 CDT(-0500)] <foxnesn> seems there should be a way to override that

[10:31:52 CDT(-0500)] <atilling> That I don't know

[10:32:14 CDT(-0500)] <atilling> I would change that end state to a view and create a custom jsp page that does what you want

[10:33:13 CDT(-0500)] <foxnesn> so redirect to the custom jsp page which contains the checkall forward?

[10:33:22 CDT(-0500)] <atilling> if you look at the enforce password policy contrib in the cas manual you'll see an example where I created a jsp page for redirect and post redirect

[10:33:31 CDT(-0500)] <foxnesn> ooo

[10:34:23 CDT(-0500)] <foxnesn> omg are you building this into 3.5?

[10:34:24 CDT(-0500)] <atilling> No, change it from an extrenal redirect to a view, in the jsp of the view use either a meta tag or javascript to redirect to your password enforcement app

[10:34:52 CDT(-0500)] <atilling> yes, that's what I was explaining in my earlier comment

[10:35:41 CDT(-0500)] <atilling> in our deploy we check password age and display a warning or force password change completely internal to cas

[10:36:03 CDT(-0500)] <foxnesn> so you leverage the ldap

[10:36:10 CDT(-0500)] <foxnesn> which is what our password service does

[10:36:16 CDT(-0500)] <foxnesn> but it is external to cas

[10:36:41 CDT(-0500)] <foxnesn> so then how do users change their pass manually?

[10:36:52 CDT(-0500)] <foxnesn> without being prompted to do so?

[10:36:55 CDT(-0500)] <foxnesn> and what if they forget?

[10:37:42 CDT(-0500)] <atilling> ok the 10 days before their password expires they get a 5 second warning page before the redirect that tells them their password will expire in x day(s)

[10:38:06 CDT(-0500)] <atilling> odviously counts down as the days goes by

[10:39:06 CDT(-0500)] <atilling> if they don't change their password and it expires they get bounced off into other logic that is based on the acceptable-use logic I contributed the forces them to change their password inmeadiately

[10:39:56 CDT(-0500)] <atilling> you can check out our entire build here, maven overlay and all: https://github.com/atilling/cas

[10:40:29 CDT(-0500)] <foxnesn> what happens if they forget their password?

[10:40:41 CDT(-0500)] <atilling> the cas-server-support-ldap in there is the version proposed for 3.5 that includes the password enforcement

[10:41:00 CDT(-0500)] <atilling> In our design they have to call the helpdesk directly

[10:41:17 CDT(-0500)] <atilling> we don't do password resets or reminders automatically

[10:41:31 CDT(-0500)] <foxnesn> ahhh

[10:41:51 CDT(-0500)] <foxnesn> yea, PWM has integration for all that

[10:42:02 CDT(-0500)] <foxnesn> it actually has everything we want

[10:42:04 CDT(-0500)] <foxnesn> and it is all setup

[10:42:06 CDT(-0500)] <atilling> however, in the cas login flow, during their first login we force them to create a question/answer pair

[10:42:13 CDT(-0500)] <foxnesn> i just need to get CAS to send users there on checkall!

[10:42:41 CDT(-0500)] <atilling> We could do something inside CAS, policy wise we don't automate that

[10:43:09 CDT(-0500)] <atilling> besides - where you are trying to redirect to checkall - that would only happen if they sucessfully login

[10:43:29 CDT(-0500)] <foxnesn> right

[10:43:35 CDT(-0500)] <foxnesn> since we are using CAS as the gateway

[10:43:37 CDT(-0500)] <atilling> Password reset/reminder normally is just a link on your login page

[10:43:55 CDT(-0500)] <foxnesn> PWM acts as both

[10:44:13 CDT(-0500)] <atilling> you know username, password, click here if you forgot your password

[10:44:22 CDT(-0500)] <foxnesn> i have it setup to link on the main gateway page to redirect to password reset where they dont have to run checkall

[10:45:46 CDT(-0500)] <atilling> So your users are hitting a page before the cas login?

[10:45:56 CDT(-0500)] <foxnesn> i guess i should try editing casservicevalidationsuccess.jsp

[10:46:13 CDT(-0500)] <atilling> No - you don't want to touch that

[10:46:18 CDT(-0500)] <foxnesn> yea, they dont have to sign in to the gateway if they want to change pass or forgot it

[10:46:35 CDT(-0500)] <atilling> the user's don't interact with validate

[10:46:45 CDT(-0500)] <atilling> the end service hits validate

[10:47:02 CDT(-0500)] <atilling> to check if the service ticket validate

[10:47:12 CDT(-0500)] <foxnesn> i mean postresponseview

[10:47:21 CDT(-0500)] <atilling> ok

[10:48:23 CDT(-0500)] <atilling> my preference - based on our experience - Have all your services casified - have CAS your main front end that the user interact with

[10:48:56 CDT(-0500)] <atilling> Have a link on the CAS login page to your password manager for user's that forgot passwords

[10:49:43 CDT(-0500)] <foxnesn> yea, PWM does all that without us having to code anything

[10:49:51 CDT(-0500)] <atilling> use the password policy enforcment inside CAS to warn the users when password is close to expire, and if expired to external redirct to your password management

[10:51:05 CDT(-0500)]

<foxnesn> i guess im changing action="<c:out value="$

Unknown macro: {originalUrl}

" to action="c:out value=https://password.example.com:8443/pwm/yaddayadda$

"

[10:51:26 CDT(-0500)] <atilling> I believe that will work for you

[10:52:36 CDT(-0500)] <atilling> I'm a little confused on your user flow though - say a user click a link to your moodle - moodle sends them to CAS or to the PWM?

[10:53:16 CDT(-0500)] <foxnesn> to cas

[10:53:25 CDT(-0500)] <foxnesn> which then i want to send to checkall

[10:53:37 CDT(-0500)] <foxnesn> checkall only interrupts if the user doesnt meet values

[10:53:42 CDT(-0500)] <foxnesn> and forces them to make changes

[10:53:54 CDT(-0500)] <atilling> ok so to checkall before they login?

[10:54:00 CDT(-0500)] <foxnesn> aftwer updates are made it then sends them onto the client

[10:54:10 CDT(-0500)] <foxnesn> checkall after login

[10:54:26 CDT(-0500)] <atilling> ok and if they get to login and don't know password?

[10:55:34 CDT(-0500)] <foxnesn> on the login page there is a link to forgot password

[10:55:40 CDT(-0500)] <foxnesn> which doesnt make them login to CAS

[10:55:55 CDT(-0500)] <foxnesn> it sends them to PWM which handles it from there which talks to the ldap

[10:56:04 CDT(-0500)] <foxnesn> it acts as a middle man in the case

[10:56:10 CDT(-0500)] <atilling> ok

[10:56:16 CDT(-0500)] <foxnesn> after they update their password or are reminded of it they are forced to logout

[10:56:48 CDT(-0500)] <foxnesn> it is a very useful program for our purposes

[10:56:58 CDT(-0500)] <atilling> forced to logout?

[10:56:59 CDT(-0500)] <foxnesn> but i could see down the line ditching it and going with an "in-cas" solution

[10:57:04 CDT(-0500)] <foxnesn> logout of PWM

[10:57:10 CDT(-0500)] <atilling> ok

[10:57:56 CDT(-0500)] <foxnesn> bah. cas works but it did not interrupt

[10:58:09 CDT(-0500)] <foxnesn> it just sends me onto the client i want

[10:58:58 CDT(-0500)] <foxnesn> i have everything casified and talking, just not this one thing

[10:58:59 CDT(-0500)] <foxnesn> heh

[10:59:05 CDT(-0500)] <atilling> well then I suggest you change the <end-state id="redirectView" to a view/jsp like the policy enforce does

[10:59:28 CDT(-0500)] <foxnesn> ok

[10:59:50 CDT(-0500)] <foxnesn> oh wait i forgot to copy over the cas jsp

[10:59:52 CDT(-0500)] <foxnesn> from target

[11:01:03 CDT(-0500)] <atilling> I wrote a bash script to stop tomcat, delete temp files, maven compile, copy cas.war and start tomcat

[11:01:26 CDT(-0500)] <foxnesn> that would be useful

[11:01:34 CDT(-0500)] <foxnesn> cause im doing this manually 1000 times a day ha

[11:03:10 CDT(-0500)] <foxnesn> that is one of those things that is easy to do but ive been putting it off

[11:03:22 CDT(-0500)] <atilling> yeah that's why i did the bash script: here it is http://pastie.org/2762659

[11:04:47 CDT(-0500)] <foxnesn> darn, no dice

[11:04:55 CDT(-0500)] <foxnesn> looks like ill have to learn me some jsp

[11:04:57 CDT(-0500)] <foxnesn> and xml

[11:05:20 CDT(-0500)] <atilling> it does help

[11:05:26 CDT(-0500)] <foxnesn> i know java

[11:05:29 CDT(-0500)] <foxnesn> so learning jsp isnt tough

[11:05:38 CDT(-0500)] <foxnesn> xml is one of those things you dont learn until you use it hhe

[11:05:48 CDT(-0500)] <atilling> shouldn't be any sweat then

[11:06:21 CDT(-0500)] <foxnesn> the thing is, with that redirectView i need to create a view which is a jsp page

[11:06:31 CDT(-0500)] <foxnesn> but the view name doesnt include the .jsp ?

[11:07:06 CDT(-0500)] <atilling> it doesn't but you need to define the path to the jsp page in your view properties

[11:08:00 CDT(-0500)] <atilling> WEB-INF/classes/default_views.properties

[11:09:07 CDT(-0500)] <foxnesn> ahh ok

[11:09:23 CDT(-0500)] <foxnesn> how did you learn all of this?

[11:09:58 CDT(-0500)] <atilling> reading the cas wiki and playng with the deploy

[11:10:44 CDT(-0500)] <atilling> course probably helps that I've been programing for 20 years in about 12 different languages

[11:12:58 CDT(-0500)] <foxnesn> yea im sure it does

[11:17:55 CDT(-0500)] <foxnesn> heh that did not work

[11:18:28 CDT(-0500)] <foxnesn> it is tryig to forward but it continuously reloads hahaha

[11:18:41 CDT(-0500)] <foxnesn> the right url is in the browser...hrm...

[11:19:54 CDT(-0500)] <foxnesn> <end-state id="redirectView" view="viewPwm" />

[11:20:15 CDT(-0500)] <foxnesn> and viewPwm has the checkall logic in it

[11:21:32 CDT(-0500)] <foxnesn> lunch time

[11:55:39 CDT(-0500)] <atilling> How does your PWM know who the CAS service is passing?

[11:57:56 CDT(-0500)] <foxnesn> PWM is casified

[11:58:05 CDT(-0500)] <foxnesn> it uses clearPass

[11:58:34 CDT(-0500)] <foxnesn> so if i go to pwm.example.com:8443/pwm it sends me right to the CAS login if im not already given a ticket

[11:59:24 CDT(-0500)] <foxnesn> sorry, pwm/private goes to the cas login

[11:59:43 CDT(-0500)] <foxnesn> pwm/public does not, it handles the password changes and response questions

[12:00:50 CDT(-0500)] <atilling> so it sounds like your passing you cas aprroved service to the pwm which is then trying to check cas, which is passing to the PWM which is then checking CAS which is passing to pwm

[12:00:52 CDT(-0500)] <atilling> etc

[12:01:29 CDT(-0500)] <foxnesn> yea, i screwed up the jsp i think

[12:01:47 CDT(-0500)] <atilling> it's more of a flow issue

[12:01:53 CDT(-0500)] <foxnesn> the pwm docs say that if i just create a webpage with an html meta redirect it will work

[12:02:06 CDT(-0500)] <foxnesn> which ive done and launched manually

[12:02:09 CDT(-0500)] <foxnesn> but not in CAS

[12:02:22 CDT(-0500)] <atilling> you don't want to pass to password.example.com:8443/pwm/yaddayadda if the service IS password.example.com:8443/pwm/yaddayadda

[12:03:11 CDT(-0500)] <foxnesn> hrm true

[12:03:16 CDT(-0500)] <atilling> your service is passing through the PWM and then PWM is becoming a service also

[12:03:43 CDT(-0500)] <atilling> so your passing the pwm service through PWM - infinate loop

[12:03:50 CDT(-0500)] <foxnesn> right

[12:04:16 CDT(-0500)] <foxnesn> so why then does it work if i manually enter it into a browser?

[12:04:25 CDT(-0500)] <foxnesn> but loops if i direct it to that page?

[12:05:44 CDT(-0500)] <atilling> depends on what you have for cookie, whether there is a gateway=true in the url etc

[12:05:57 CDT(-0500)] <foxnesn> ahhhhh

[12:06:51 CDT(-0500)] <atilling> gateway=true avoids the login page if the user is already logged in and is a different webflow

[12:07:45 CDT(-0500)] <atilling> well same webflow but different path through it

[12:07:48 CDT(-0500)] <foxnesn> isnt that a setting in CAS?

[12:08:35 CDT(-0500)] <atilling> whether to allow gateway is - requesting gateway is a service side thing

[12:09:16 CDT(-0500)] <foxnesn> is - ?

[12:10:27 CDT(-0500)] <atilling> whether to allow a service to gateway is a cas setting - requesting loging as a gateway request is service action

[12:11:24 CDT(-0500)] <foxnesn> see i never setup these service parameters in web.xml

[12:11:34 CDT(-0500)] <foxnesn> i did setup clearpass tho for pwm

[12:11:38 CDT(-0500)] <foxnesn> and it works great

[12:11:43 CDT(-0500)] <atilling> your PWM probably wants cas.x.edu/login/service=pwmurl?gateway=true

[12:12:05 CDT(-0500)] <foxnesn> but why does it work if i manually put it into a browser?

[12:12:09 CDT(-0500)] <atilling> errcas.x.edu/login/?service=pwmurl&gateway=true

[12:12:34 CDT(-0500)] <atilling> not sure

[12:13:01 CDT(-0500)] <atilling> try clearing all your cookies and see if it works if you put it directly into the browser

[12:13:12 CDT(-0500)] <foxnesn> it does

[12:13:31 CDT(-0500)] <foxnesn> works exactly as it should

[12:13:40 CDT(-0500)] <atilling> prompts you for login and then gets to the PWM?

[12:13:44 CDT(-0500)] <foxnesn> yup

[12:14:18 CDT(-0500)] <atilling> then maybe when you are passing the URL to PWM in your jsp you losing the service ticket

[12:14:50 CDT(-0500)] <atilling> so the end service moodle or whatever isn't getting the service ticket and so passing back to CAS for login again

[12:15:04 CDT(-0500)] <foxnesn> that makes sense

[12:16:40 CDT(-0500)] <foxnesn> im on the PWM mailing list and a guy that uses PWM with CAS got his 1 client to work

[12:16:52 CDT(-0500)] <foxnesn> by changing the service url in web.xml to the big long checkall url

[12:16:55 CDT(-0500)] <foxnesn> but that didnt work for me

[12:17:10 CDT(-0500)] <atilling> you could temp set your cas webflow logging to debug and see where the the flow is coming in and out

[12:17:12 CDT(-0500)] <foxnesn> it just kept going to the service without interrupting

[12:18:41 CDT(-0500)] <atilling> well if you are only dealing with one service you could leave CAS completely default and have moodle pass a service url with the PWM flow in it

[12:19:48 CDT(-0500)] <foxnesn> i even tried that but i couldnt get it to work

[12:20:08 CDT(-0500)] <foxnesn> i changed web.xml to reflect the long service url for checkall

[12:20:14 CDT(-0500)] <foxnesn> changed nothing in moodle itself

[12:20:32 CDT(-0500)] <atilling> so moodle to cas wouldn't be cas.x.edu/cas/login?service=http://moodle.x.edu but rather moodle would redirect to as.x.edu/cas/login?service=pwm.x.edu?followurl=http://moodle.x.edu

[12:21:11 CDT(-0500)] <atilling> that might work

[12:22:15 CDT(-0500)] <atilling> I know other schools have passed the flow out to external services but I'm not familar with it

[12:22:33 CDT(-0500)] <foxnesn> do i edit that in web.xml ?

[12:23:15 CDT(-0500)] <atilling> that wouldn't be web.xml - cas would be pretty much default - that would be in the moodle cas config

[12:24:07 CDT(-0500)] <foxnesn> ok

[12:25:24 CDT(-0500)] <atilling> but again, working with cas and an external handler in the middle of the flow isn't something I've done

[12:27:35 CDT(-0500)] <foxnesn> unforunately the moode cas config only asks for the cas hostname, the base uri, the port and cas version and the bind settings

[12:28:51 CDT(-0500)] <atilling> maybe try posting to the cas-user list, maybe a school that's used an external service mid flow can give you more advice

[12:29:31 CDT(-0500)] <foxnesn> ok i think i got it

[12:29:45 CDT(-0500)] <foxnesn> in the base uri i have to specifiy the entire checkall command

[12:32:11 CDT(-0500)] <foxnesn> shoot it does the checkall but then it goes to the entire cas url with the moodle url attachec to it

[12:32:14 CDT(-0500)] <foxnesn> lol so close

[12:35:35 CDT(-0500)] <atilling> try going back to the normal webflow then?

[12:38:44 CDT(-0500)] <foxnesn> i did

[12:38:56 CDT(-0500)] <foxnesn> i think i willjust have to bit the bullet and create a new flow and everything

[12:39:39 CDT(-0500)] <foxnesn> because down the line they want cas to forward users to a url based on their AD group

[12:39:44 CDT(-0500)] <foxnesn> so alumni go to x

[12:39:48 CDT(-0500)] <foxnesn> students go to y

[12:39:52 CDT(-0500)] <foxnesn> employees go to z

[12:45:23 CDT(-0500)] <atilling> so they start at one service and get to a different place?

[12:46:49 CDT(-0500)] <foxnesn> i dont even think they know yet

[12:47:11 CDT(-0500)] <foxnesn> i guess they are thinking that based on their LDAP credentials, CAS would send them to a specific url

[12:47:16 CDT(-0500)] <foxnesn> so it would happen in CAS

[12:47:23 CDT(-0500)] <foxnesn> or it could happen in external logic

[12:47:33 CDT(-0500)] <atilling> we have it so that certain services get different cas interfaces/login pages

[12:48:07 CDT(-0500)] <foxnesn> hey could you go to think link and look about 1/3 of the way down

[12:48:09 CDT(-0500)] <foxnesn> https://wiki.jasig.org/display/CAS/jasig-cas+IRC+Logs-2011-10-17

[12:48:25 CDT(-0500)] <foxnesn> serac was telling me what to change the external redirect to

[12:48:43 CDT(-0500)] <foxnesn> and the unknown macro error is killing me

[12:49:01 CDT(-0500)] <foxnesn> because i did get it to forward properly but moodle would not log me in

[12:51:05 CDT(-0500)] <atilling> might be requestParameters

[12:54:48 CDT(-0500)] <foxnesn> hrm, do you know where CAS stores the requesting service url in memory?

[12:55:23 CDT(-0500)] <foxnesn> if i were to create a jsp i should be able to call that variable so long as the jsp is still working in the cas flow

[12:55:47 CDT(-0500)] <foxnesn> and then simply write an if statement that redirects

[12:57:42 CDT(-0500)] <atilling> flowScope.service.id

[13:02:58 CDT(-0500)] <foxnesn> do you know the purpose of adding authentication filters for a service in a web.xml ?

[13:17:27 CDT(-0500)] <atilling> web.xml on the cas side?

[13:25:20 CDT(-0500)] <foxnesn> yea

[13:27:41 CDT(-0500)] <atilling> I haven't done anything with the filters, usually filters control how parts of the app respond

[13:39:06 CDT(-0500)] <foxnesn> so page redirects do not work in the flow because it simply loops

[13:39:24 CDT(-0500)] <foxnesn> if it is redirecting to a cas service

[13:42:52 CDT(-0500)] <atilling> makes sense, unless you add some conditional to keep it from jumping to your external service when the service IS your external

[13:44:58 CDT(-0500)] <atilling> unfortunately I don't have a test environment to test your senario and my experience has only been with embeding those functions into CAS rather then passing to an external

[13:45:38 CDT(-0500)] <foxnesn> so with the password setup you created

[13:45:45 CDT(-0500)] <foxnesn> where does it store response information?

[13:49:06 CDT(-0500)] <atilling> define which information you asking about storing

[13:50:26 CDT(-0500)] <foxnesn> sorry, password response info

[13:50:55 CDT(-0500)] <atilling> as in what password they entered when logging in?

[13:51:20 CDT(-0500)] <foxnesn> did you say that your program forces users to add password response questions?

[13:51:48 CDT(-0500)] <atilling> yes, that's in the java in our overlay

[13:52:10 CDT(-0500)] <foxnesn> ok so where are those saved? in a database?

[13:52:20 CDT(-0500)] <atilling> the Q&A pair are written out to our Microsoft SQL server in the Schema used for our portal

[13:52:58 CDT(-0500)] <foxnesn> ahh

[13:53:05 CDT(-0500)] <foxnesn> how does that effect high availability/

[13:53:06 CDT(-0500)] <foxnesn> ?

[13:56:43 CDT(-0500)] <foxnesn> man, it is too bad i couldnt just put an if statement into the loginwebflow

[13:56:57 CDT(-0500)] <foxnesn> if the requesting service is this do this, etc

[13:57:03 CDT(-0500)] <foxnesn> it would be too easy

[13:57:25 CDT(-0500)] <atilling> You can

[13:57:42 CDT(-0500)] <atilling> And Our Microsoft SQL server is HA

[13:57:42 CDT(-0500)] <foxnesn> i can put a scriplet in there?

[13:58:24 CDT(-0500)] <atilling> this is a webflow in then else: <action-state id="warnPassRedirect2" >

[13:58:24 CDT(-0500)] <atilling> <evaluate expression="requestScope.response.responseType.name()"/>

[13:58:24 CDT(-0500)] <atilling> <transition on="POST" to="pwdPostView" />

[13:58:24 CDT(-0500)] <atilling> <transition to="pwdRedirectView" />

[13:58:24 CDT(-0500)] <atilling> </action-state>

[13:59:36 CDT(-0500)] <atilling> you could evaluate flowscope.service.id and transition on="http://pwm" to="redirectview">

[14:00:01 CDT(-0500)] <atilling> then have the else <transition to="PWMRedirect" />

[14:10:38 CDT(-0500)] <foxnesn> sometimes i think xml makes this more difficult

[14:13:35 CDT(-0500)] <foxnesn> do you know why generateServiceTicketAction transitions to "warn" on "success" ?

[14:14:46 CDT(-0500)] <atilling> yes, the warn action determines if the user has set the profile option of warn on transitition to service

[14:14:57 CDT(-0500)] <atilling> if yes it displays the message

[14:15:31 CDT(-0500)] <foxnesn> but i dont see where it goes from there

[14:15:50 CDT(-0500)] <foxnesn> if i dont click the warn box does that mean it acts as gateway?

[14:15:54 CDT(-0500)] <atilling> <decision-state id="warn">

[14:15:54 CDT(-0500)] <atilling> <if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" />

[14:15:54 CDT(-0500)] <atilling> </decision-state>

[14:16:14 CDT(-0500)] <foxnesn> ahh

[14:16:16 CDT(-0500)] <foxnesn> blind

[14:17:10 CDT(-0500)] <atilling> No seperate things though related - if I login to a casified service and I check that box then if I SSO (gateway) into a DIFFERENT service I'll get a CAS warning page before I'm logged into that service

[14:17:43 CDT(-0500)] <atilling> if I don't check that box SSO is automatic and I'm not told that I logged into a second service

[14:18:02 CDT(-0500)] <foxnesn> ok, do you know what postview is for?

[14:18:52 CDT(-0500)] <atilling> post view and redirect view route the user to the end service they just logged into

[14:19:11 CDT(-0500)] <foxnesn> so both are needed?

[14:19:25 CDT(-0500)] <atilling> which one does the redirect depends on requestScope.response.responseType.name()

[14:19:39 CDT(-0500)] <atilling> yes

[14:20:21 CDT(-0500)] <atilling> though personally I'm not clear as to when requestScope.response.responseType.name() = post and when it doesn't

[14:21:37 CDT(-0500)] <foxnesn> so i guess i would want to put my evaluation in an end-state

[14:22:05 CDT(-0500)] <atilling> No, not an end-state, needs to be an action-state

[14:22:27 CDT(-0500)] <atilling> end-state can't pass to any other action

[14:22:36 CDT(-0500)] <atilling> End-state ends the flow

[14:23:48 CDT(-0500)] <foxnesn> right, but flowScope.service.is in an end state

[14:24:22 CDT(-0500)] <foxnesn> hrm, does the wiki contain definitions and purposes of these variables?

[14:24:29 CDT(-0500)] <foxnesn> i probbaly should just read through them first

[14:24:37 CDT(-0500)] <atilling> no flowscope.service.id is a variable that contains the service url

[14:25:25 CDT(-0500)] <atilling> you can access flowscope in an action or an end-state

[14:25:26 CDT(-0500)] <foxnesn> i feel at this point i may be wasting your time heh

[14:25:33 CDT(-0500)] <foxnesn> because of my newness

[14:25:58 CDT(-0500)] <foxnesn> serac did say this was a tad "advanced"

[14:26:01 CDT(-0500)] <atilling> ehh I like to be helpful, just wish I could be more helpful

[14:26:24 CDT(-0500)] <atilling> you attending the jasig unconnference

[14:26:26 CDT(-0500)] <atilling> ?

[14:26:34 CDT(-0500)] <foxnesn> right now it is like being thrown in to China and having to learn Chinese without any context of the language

[14:27:44 CDT(-0500)] <atilling> well give the community a chance - people are very supportive

[14:28:17 CDT(-0500)] <atilling> and many are much more knowledgable then me

[14:29:34 CDT(-0500)] <atilling> I've gotten good at some very small peices but other's like scott know the know package better then they know their own living room

[14:30:19 CDT(-0500)] <foxnesn> i will not be attending unconference

[14:30:22 CDT(-0500)] <foxnesn> hopefully next year

[14:30:31 CDT(-0500)] <foxnesn> once we get this off the ground i will have a good reason to go

[14:31:00 CDT(-0500)] <foxnesn> as you know, pulling away from packaged solutions to roll your own is risky

[14:31:08 CDT(-0500)] <foxnesn> sure it saves money but now we have to support it

[14:31:25 CDT(-0500)] <foxnesn> and supporting an end-to-end authentication tier can be a major hassle come upgrade time

[14:31:38 CDT(-0500)] <atilling> CAS is nearly bullete proff once you get it working

[14:32:04 CDT(-0500)] <foxnesn> i dont mean risky as in vulnerable, i guess i mean a money gamble

[14:32:53 CDT(-0500)] <atilling> I understand what you are saying, just saying that once you get past the config it just runs

[14:34:31 CDT(-0500)] <atilling> most folks don't bother updating CAS - very rarely are updates security issues - mostly it's just new features or performance improvments

[14:34:45 CDT(-0500)] <foxnesn> good to know

[14:34:53 CDT(-0500)] <foxnesn> of course my boss loves implementing those

[14:35:01 CDT(-0500)] <foxnesn> and any excuse to upgrade software

[14:35:20 CDT(-0500)] <atilling> and if you use the maven overlay, you can upgrade and deploy with few changes

[14:35:43 CDT(-0500)] <foxnesn> well right now im leaning heavily on this community so as long as you all don't mind then i wont think twice about it

[14:35:57 CDT(-0500)] <foxnesn> i just wish somebody else who was new at this would come in and i could assist for a change

[14:36:42 CDT(-0500)] <atilling> the dev's try to make sure that the improvements go in, in such a way that all your configs continue to work, you only need to change the config to add features

[14:37:31 CDT(-0500)] <atilling> If you get stuck Unicon has installation support, they have skilled CAS people

[14:42:24 CDT(-0500)] <foxnesn> does this look ok

[14:42:25 CDT(-0500)] <foxnesn> <evaluate expression="flowScope.service.id"/>

[14:42:25 CDT(-0500)] <foxnesn> <transition on="https://lms2uptst2.dickinson.edu" to="moodleCheckAll" else="redirectView"/>

[14:42:28 CDT(-0500)] <foxnesn> </action-state>

[14:42:49 CDT(-0500)] <foxnesn> then i need to make a moodleCheckAll view i guess

[14:42:52 CDT(-0500)] <atilling> you don't have an else that way

[14:43:18 CDT(-0500)] <foxnesn> so it can be either an if statewith with an else OR transition on statements

[14:43:26 CDT(-0500)] <atilling> the else needs to be a seperate <transition to="" /> it's an else if it doesn't have a on

[14:43:56 CDT(-0500)] <foxnesn> i c

[14:45:52 CDT(-0500)] <foxnesn> so i need an action state and a decision state

[14:46:01 CDT(-0500)] <foxnesn> the action state evaluaes the expression i am looking at

[14:46:17 CDT(-0500)] <foxnesn> and then points to the decision state which makes the decision based on the variables

[14:49:10 CDT(-0500)] <atilling> decission state should be all you need in this case

[14:49:32 CDT(-0500)] <atilling> you only need the action state first if the action state needs to set something

[14:51:15 CDT(-0500)] <foxnesn> but don't i have to evaluate flowScope.service.id ?

[14:51:45 CDT(-0500)] <foxnesn> so that i can test that against the url

[14:53:46 CDT(-0500)] <atilling> ok, sorry I'm getting confused as to which way you are doing things

[14:54:53 CDT(-0500)] <atilling> you can have an action state with an evaluate and two + transitions like a switch statement or a decsion state with an actual if then else

[14:58:10 CDT(-0500)] <foxnesn> i guess i will go with a decision state

[14:58:24 CDT(-0500)] <foxnesn> <decision-state id="checkAll">

[14:58:24 CDT(-0500)] <foxnesn> <if test="flowScope.service.id = https://lms2uptst2.dickinson.edu" then="moodleCheckAll" else="redirectView" />

[14:58:27 CDT(-0500)] <foxnesn> </decision-state>

[14:58:33 CDT(-0500)] <foxnesn> and my end-state

[14:59:24 CDT(-0500)] <foxnesn> <end-state id="moodleCheckAll" view="externalRedirect:https://pwm....checkalk&forwardURL=https://moodle" />

[14:59:52 CDT(-0500)] <foxnesn> crap i cant have the forwardURL in that statement

[15:09:22 CDT(-0500)] <atilling> use the view state/jsp you created earlier?

[15:11:10 CDT(-0500)] <foxnesn> yea

[15:11:31 CDT(-0500)] <foxnesn> if i do decision state can i declare several variables at once?

[15:12:48 CDT(-0500)] <foxnesn> or maybe it would easier to create an action state with my 4 cas clients but then how do i tell CAS to go to redirectview if its not one of those clients?

[15:12:56 CDT(-0500)] <atilling> I haven't before, you could check the spring webflow docs

[15:13:58 CDT(-0500)] <atilling> have 4 transition on="" to = "" and then one transition to"=redirectview"

[15:14:31 CDT(-0500)] <atilling> the transition without an on becomes your else or default case

[15:18:17 CDT(-0500)] <foxnesn> ahh thanks

[15:18:23 CDT(-0500)] <foxnesn> now in the default jsp views

[15:18:31 CDT(-0500)] <foxnesn> do i have to have the .(class) line

[15:18:39 CDT(-0500)] <foxnesn> moodlecheckAll.(class)=org.springframework.web.servlet.view.JstlView

[15:18:50 CDT(-0500)] <foxnesn> i see all the others include that class

[15:19:51 CDT(-0500)] <atilling> yup

[15:20:31 CDT(-0500)] <atilling> tells cas how to process the jsp, without that you can't have jst tags in your jsp

[15:22:55 CDT(-0500)] <foxnesn> <evaluate expression="flowScope.service.id" />

[15:22:56 CDT(-0500)] <foxnesn> <transition on="https://lms2uptst2.dickinson.edu" to="moodlecheckAll" />

[15:22:59 CDT(-0500)] <foxnesn> <transition on="" to="redirectView" />

[15:23:01 CDT(-0500)] <foxnesn> </action-state>

[15:23:07 CDT(-0500)] <foxnesn> <end-state id="moodlecheckAll" view="pwmcheckmoodle" />

[15:23:07 CDT(-0500)]

<foxnesn> <end-state id="redirectView" view="externalRedirect:$

Unknown macro: {requestScope.response.url}

" />

[15:23:28 CDT(-0500)] <atilling> seems to me that will work

[15:23:31 CDT(-0500)] <foxnesn> and pwmcheckmoodle is a jsp that redirects

[15:23:39 CDT(-0500)] <foxnesn> using the usual redirect string for jsp

[15:24:06 CDT(-0500)] <atilling> give it a try, I'm about ready to pack it up here though

[15:24:12 CDT(-0500)] <foxnesn> same

[15:24:17 CDT(-0500)] <foxnesn> my last shot for the aday

[15:24:22 CDT(-0500)] <atilling> good chance that I'll be on tomorrow

[15:24:44 CDT(-0500)] <foxnesn> good (smile)

[15:25:23 CDT(-0500)] <foxnesn> hrm,well it just logs me into moodle

[15:25:28 CDT(-0500)] <foxnesn> without the redirect...

[15:25:40 CDT(-0500)] <foxnesn> so i didnt compltely break something

[15:25:42 CDT(-0500)] <foxnesn> good place to stop

[15:26:03 CDT(-0500)] <atilling> good, have a good night

[15:26:06 CDT(-0500)] <foxnesn> thanks, as always you have been a huge help

[15:26:29 CDT(-0500)] <atilling> wish I could have been more help