jasig-cas IRC Logs-2011-10-17
- Apereo Infrastructure
[03:14:49 CDT(-0500)] <muzzol> hi, quick question. is it possible to keep a session open some minutes even if browser is completely closed?
[03:15:14 CDT(-0500)] <muzzol> i mean, in case a user close accidentaly his browser
[07:40:32 CDT(-0500)] <foxnesn> morning
[08:12:14 CDT(-0500)] <kickehy> mornin'
[08:22:37 CDT(-0500)] <foxnesn> kickey is your cas working yet?
[08:25:13 CDT(-0500)] <kickehy> for the most part
[08:25:32 CDT(-0500)] <kickehy> just need to figure out why the services management isn't working
[08:25:47 CDT(-0500)] <foxnesn> what is services managment?
[08:26:54 CDT(-0500)] <kickehy> https://wiki.jasig.org/display/CAS/Services+Management
[08:27:03 CDT(-0500)] <kickehy> that can explain it better than i could
[08:27:44 CDT(-0500)] <foxnesn> ahh i see
[08:27:49 CDT(-0500)] <foxnesn> i dont think i will need that
[08:27:53 CDT(-0500)] <kickehy> foxnesn: but i did get it working with moodle as you saw on friday 
[08:28:03 CDT(-0500)] <foxnesn> as not just anyone can add webapps to the domain here
[08:28:09 CDT(-0500)] <foxnesn> yea
[08:28:23 CDT(-0500)] <foxnesn> kickehy: did you have to change every user auth to cas?
[08:28:30 CDT(-0500)] <foxnesn> manually
[08:28:39 CDT(-0500)] <kickehy> hehe, no, it's just a test server
[08:28:46 CDT(-0500)] <kickehy> i only had to do that for one user
[08:28:58 CDT(-0500)] <foxnesn> well im afraid that may be an issue down the road
[08:29:17 CDT(-0500)] <foxnesn> i guess in the moodle database i can mass change it
[08:29:45 CDT(-0500)] <foxnesn> alter * from m_user where auth = ldap
[08:29:52 CDT(-0500)] <foxnesn> something like that will probably work
[08:36:40 CDT(-0500)] <kickehy> yeah
[08:38:37 CDT(-0500)] <foxnesn> were you thinking of using any sort of password self service?
[08:40:09 CDT(-0500)] <kickehy> so they can change their AD password?
[08:40:25 CDT(-0500)] <foxnesn> yea
[08:40:32 CDT(-0500)] <foxnesn> and if they forget it they can retrieve it
[08:41:04 CDT(-0500)] <kickehy> i'd be open to it
[08:41:24 CDT(-0500)] <foxnesn> im working with an open source program called PWM
[08:41:36 CDT(-0500)] <foxnesn> pretty nice and integrates well
[08:42:02 CDT(-0500)] <foxnesn> but im trying to come up with an interupt system so that it will prompt users to change their pass if it is about to expire
[08:42:31 CDT(-0500)] <kickehy> ah
[09:23:36 CDT(-0500)] <foxnesn> hrm, after CAS authenticates but before it redirects back to the application i need to get it to always hit 1 specific page
[09:23:58 CDT(-0500)] <foxnesn> is this at all possible?
[09:25:47 CDT(-0500)] <serac> Yes, customize login-webflow.xml
[09:26:07 CDT(-0500)] <serac> Important to note this is in the arena of advanced usage.
[09:26:19 CDT(-0500)] <foxnesn> heh
[09:26:57 CDT(-0500)] <foxnesn> ok, my purpose is so that our password self service will interrupt the process and make the user update their pass/questions/etc
[09:27:26 CDT(-0500)] <serac> We do this at Virginia Tech. It's fairly straightforward.
[09:27:29 CDT(-0500)] <foxnesn> and the proceed to the site
[09:27:35 CDT(-0500)] <foxnesn> ahh good
[09:27:47 CDT(-0500)] <foxnesn> what do you use for password self service, just curious
[09:28:03 CDT(-0500)] <serac> Custom code.
[09:28:07 CDT(-0500)] <foxnesn> cool
[09:28:11 CDT(-0500)] <serac> This is the action of interest:
[09:28:12 CDT(-0500)] <serac>
[09:28:12 CDT(-0500)] <serac> <action-state id="generateServiceTicket">
[09:28:12 CDT(-0500)] <serac> <evaluate expression="generateServiceTicketAction" />
[09:28:12 CDT(-0500)] <serac> <transition on="success" to ="warn" />
[09:28:12 CDT(-0500)] <serac> <transition on="error" to="generateLoginTicket" />
[09:28:13 CDT(-0500)] <serac> <transition on="gateway" to="gatewayServicesManagementCheck" />
[09:28:13 CDT(-0500)] <serac> </action-state>
[09:29:16 CDT(-0500)] <serac> You could replace the warn state with something that does password state checking or add it after the warn state.
[09:29:24 CDT(-0500)] <serac> Studying the flow is key.
[09:29:37 CDT(-0500)] <serac> You should be able to figure out how to hook in your custom view.
[09:39:37 CDT(-0500)] <kickehy> sigh...I think the reason services management doesn't work is because of certificates
[09:43:56 CDT(-0500)] <foxnesn> is there an example of how i would add a url to that webflow?
[09:44:12 CDT(-0500)] <foxnesn> as in make it specifically go to a webpage?
[09:44:45 CDT(-0500)] <serac> You want to go there under specific conditions, correct?
[09:45:17 CDT(-0500)] <foxnesn> i would like it to always go there after it authenticates with the ldap and before it sends it back to the application
[09:45:40 CDT(-0500)] <foxnesn> the webpage calls a commandservlet that fires based on variables
[09:45:50 CDT(-0500)] <foxnesn> and then forwards to wherever
[09:48:02 CDT(-0500)] <serac> <end-state id="passwordView" view="externalRedirect:https://some.example.com?var1=$ " />
[09:48:13 CDT(-0500)] <serac> http://static.springsource.org/spring-webflow/docs/2.3.x/reference/html/ch04s04.html may be helpful reference.
[09:49:09 CDT(-0500)] <serac> Note if you replace to="warn" with to="passwordView", the warn feature will cease to work.
[09:49:58 CDT(-0500)] <serac> So you may need to add an additional action state in there somewhere to do the right thing based on presence/absence of warn parameter.
[09:50:02 CDT(-0500)] <foxnesn> what does warn do?
[09:50:04 CDT(-0500)] <serac> Or decision state.
[09:50:12 CDT(-0500)] <serac> There's a checkbox on the login form.
[09:50:17 CDT(-0500)] <foxnesn> oo
[09:50:22 CDT(-0500)] <foxnesn> yea we dont use that
[09:50:30 CDT(-0500)] <serac> If you check that, a page is shown on the cas server that warns you before accessing a service.
[09:50:40 CDT(-0500)] <foxnesn> ok no big loss
[09:52:59 CDT(-0500)] <kickehy> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found
[09:53:20 CDT(-0500)] <kickehy> any idea how to "fix" that?
[09:53:25 CDT(-0500)] <foxnesn> did you put in your FQDN insteaf o localhost?
[09:53:40 CDT(-0500)] <kickehy> i tried it...it just redirects back to localhost
[09:54:24 CDT(-0500)] <kickehy> and it seems you can't access the services management from a remote machine as it gets a "page not found"
[09:54:26 CDT(-0500)] <foxnesn> so what exactly is happening?
[09:56:10 CDT(-0500)] <kickehy> if i go to https://server.domain.edu/cas/services it prompts for me to login to cas, i enter in my username/pass and then it throws me that cert error
[09:58:30 CDT(-0500)] <serac> The certificate CN must match the hostname you access in the browser.
[09:58:59 CDT(-0500)] <serac> Can you echo the CN of your cert?
[10:00:16 CDT(-0500)] <kickehy> it's the fqdn of the server itself
[10:00:46 CDT(-0500)] <kickehy> casserver.loras.edu
[10:02:34 CDT(-0500)] <serac> Echo your cas.properties file.
[10:03:32 CDT(-0500)] <kickehy> https://localhost/cas
[10:03:38 CDT(-0500)] <kickehy> for the server prefix
[10:03:44 CDT(-0500)] <kickehy> does that need to change?
[10:04:28 CDT(-0500)] <kickehy> http://grab.by/b4JT
[10:04:30 CDT(-0500)] <serac> Yes, that's the problem.
[10:04:32 CDT(-0500)] <kickehy> that's the whole thing
[10:08:30 CDT(-0500)] <kickehy> is that normal to change that to the server fqdn?
[10:08:38 CDT(-0500)] <serac> Yes
[10:08:43 CDT(-0500)] <kickehy> oh
[10:09:28 CDT(-0500)] <kickehy> hey look at that 
[10:09:32 CDT(-0500)] <kickehy> serac: thanks!
[10:09:39 CDT(-0500)] <serac> Glad to help.
[10:10:02 CDT(-0500)] <foxnesn> so it was that you had to change localhost to fqdn?
[10:10:08 CDT(-0500)] <kickehy> yeah
[10:10:13 CDT(-0500)] <foxnesn> hehe
[10:10:14 CDT(-0500)] <kickehy> foxnesn: do it!
[10:10:23 CDT(-0500)] <foxnesn> do what?
[10:10:26 CDT(-0500)] <kickehy> unless you've done it already 
[10:10:28 CDT(-0500)] <kickehy> changed it
[10:10:34 CDT(-0500)] <foxnesn> im not messing with services right now
[10:10:40 CDT(-0500)] <foxnesn> im messing with webflow
[10:10:48 CDT(-0500)] <foxnesn> i dont wanna break two things at once ha
[10:11:01 CDT(-0500)] <kickehy> who needs webflow 
[10:11:07 CDT(-0500)] <foxnesn> sadly me
[10:11:33 CDT(-0500)] <foxnesn> since we dont have the java expertise here to build our own password self service into CAS
[10:12:17 CDT(-0500)] <foxnesn> these guys still develop in cold fusion
[10:12:17 CDT(-0500)] <foxnesn> lol
[10:12:37 CDT(-0500)] <serac> Isn't CF just a thin veneer over the JVM?
[10:13:48 CDT(-0500)] <foxnesn> it's like frontpage was back in the day
[10:13:56 CDT(-0500)] <foxnesn> very little coding
[10:14:09 CDT(-0500)] <kickehy> sounds like sharepoint
[10:14:10 CDT(-0500)] <foxnesn> you can use the coding feature
[10:14:17 CDT(-0500)] <serac> I guess in practice that may be true.
[10:14:21 CDT(-0500)] <foxnesn> but its not like using a real IDE like eclipse
[10:14:42 CDT(-0500)] <kickehy> serac: do i need to put anything for the "Theme Name" for the initial cas service?
[10:14:48 CDT(-0500)] <serac> I have a love/hate relationship with Eclipse.
[10:14:58 CDT(-0500)] <foxnesn> serac: seems like everyone does
[10:15:16 CDT(-0500)] <serac> kickehy: Don't worry about it unless you start using multiple skins for CAS.
[10:17:57 CDT(-0500)] <kickehy> k
[10:41:26 CDT(-0500)] <foxnesn> well this is odd
[10:41:34 CDT(-0500)] <foxnesn> i made that change in the login webflow
[10:41:46 CDT(-0500)] <foxnesn> but i dont know if it is firing or not
[10:41:59 CDT(-0500)] <foxnesn> but it does send me to the application that was requesting auth
[10:42:12 CDT(-0500)] <foxnesn> if i entered anything in wrong wouldnt it tell me?
[10:42:25 CDT(-0500)] <foxnesn> it should have prompted me
[10:44:12 CDT(-0500)] <serac> Show me the change you made to the flow.
[10:45:13 CDT(-0500)] <foxnesn> k
[10:46:25 CDT(-0500)] <foxnesn> hold im a moron
[10:49:40 CDT(-0500)] <foxnesn> ooo seems to work
[10:49:45 CDT(-0500)] <foxnesn> must run 5000000000 tests lmao
[10:51:16 CDT(-0500)] <foxnesn> wait, so it did send me to the password self service site
[10:51:27 CDT(-0500)] <foxnesn> and then it did forward on to the cas client
[10:51:35 CDT(-0500)] <foxnesn> but it wont let me login to that client now
[10:52:57 CDT(-0500)] <foxnesn> yea strange i think the password ss is messed i gotta look into it
[10:54:05 CDT(-0500)] <foxnesn> ok yea the issue right now is with cas
[10:54:15 CDT(-0500)] <foxnesn> let me show you the login webflow
[10:55:48 CDT(-0500)] <foxnesn> http://pastie.org/2712196
[10:57:55 CDT(-0500)] <foxnesn> it seems that the ticket is getting lost
[11:00:30 CDT(-0500)] <foxnesn> the only thing i changed was "warn" to "passwordView" and i added the end-state id line
[11:01:03 CDT(-0500)] <serac> Here's the problem.
[11:01:27 CDT(-0500)] <serac> You need to add the service to the URL params of your password service and have that target servlet
[11:01:34 CDT(-0500)] <serac> forward them on to the destination service.
[11:01:37 CDT(-0500)] <serac> But....
[11:02:00 CDT(-0500)] <serac> Problem is that if you have any user interaction on that password page, the ticket will likely expire by the time you consume it at the target service.
[11:02:13 CDT(-0500)] <serac> You may need to put this page before ST generation in that case.
[11:03:00 CDT(-0500)] <foxnesn> i see
[11:03:06 CDT(-0500)] <foxnesn> i bet the ticket is expiring
[11:03:56 CDT(-0500)] <foxnesn> i will have to continue working on this
[11:04:56 CDT(-0500)] <foxnesn> the thing is the password service actually makes me login after authenticaing with the ldap and it is only supposed to do that IF the user needs to update info
[11:05:16 CDT(-0500)] <foxnesn> weird
[11:52:06 CDT(-0500)] <kickehy> for login throttleing, does it just log the attempts? Or can I make where after X number of attempts you have to wait Y minutes before logging in again?
[11:52:51 CDT(-0500)] <kickehy> man, i really can't make complete sentences
[11:55:04 CDT(-0500)] <foxnesn> it seems to me you can configure a lot you just need to know how to configure it lol
[11:55:12 CDT(-0500)] <kickehy> hehe yeah
[11:55:30 CDT(-0500)] <serac> Throttling will enforce the policy by making subsequent attempts fail.
[11:55:44 CDT(-0500)] <serac> fail before the back-end auth handler is invoked
[11:56:55 CDT(-0500)] <kickehy> so how does it release the "lock"?
[11:57:06 CDT(-0500)] <kickehy> https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts
[11:57:10 CDT(-0500)] <kickehy> that's what i'm looking at
[11:57:26 CDT(-0500)] <kickehy> i'm pretty sure i don't need inspektr
[11:59:12 CDT(-0500)] * kickehy out to lunch
[12:00:15 CDT(-0500)] <serac> Believe the counter is just in-memory data that's keyed off source IP address.
[12:59:33 CDT(-0500)] <foxnesn> serac, how would i add the service to the url params of the password service?
[13:00:33 CDT(-0500)] <serac> Using the requestParameters.service or requestParameters['service'] syntax I mentioned earlier.
[13:00:46 CDT(-0500)] <serac> I really think the bigger issue is where in the flow you're putting this.
[13:01:43 CDT(-0500)] <foxnesn> ok
[13:02:42 CDT(-0500)] <foxnesn> well right now it is in generateserviceticker
[13:03:06 CDT(-0500)] <foxnesn> and on success it transitiotns to passwordView which is the url to my password service
[13:03:37 CDT(-0500)] <serac> Right. And if the user does anything on that form that takes more than 10s, by the time you deliver the ticket to the service it will have expired.
[13:03:42 CDT(-0500)] <serac> And you'll likely see an error.
[13:04:03 CDT(-0500)] <serac> Now if you strip the ticket from the service, you'll be ok.
[13:04:57 CDT(-0500)] <serac> You'll simply redirect to the service without the ticket, and it'll naturally redirect to CAS for another ticket. Of course you'd need some additional logic to not show your password view in that case.
[13:05:17 CDT(-0500)] <serac> On that second round trip.
[13:05:51 CDT(-0500)] <foxnesn> heh
[13:05:58 CDT(-0500)] <foxnesn> admitedly getting over my head
[13:06:17 CDT(-0500)] <foxnesn> but i have no choice but to learn
[13:06:20 CDT(-0500)] <serac> I can imagine if you're not a Java programmer that's familiar with Spring Web Flow.
[13:06:34 CDT(-0500)] <foxnesn> i know java well enought, but an unfamiliar with spring webflow
[13:06:36 CDT(-0500)] <serac> The SWF reference manual is a good introduction and it's fairly brief.
[13:09:09 CDT(-0500)] <kickehy> serac: for the throttling, do what repeatInterval do you guys have implemented?
[13:09:25 CDT(-0500)] <kickehy> seriously, i can't form sentences today
[13:09:47 CDT(-0500)] <serac> We don't do throttling.
[13:09:49 CDT(-0500)] <kickehy> ah
[13:10:06 CDT(-0500)] <serac> Lots of folks do, though. And I can imagine we might do it in the future.
[13:10:21 CDT(-0500)] <serac> I couldn't even hazard a guess about a "standard."
[13:13:28 CDT(-0500)] <wgthom> kickehy, if you have some policy enforced at the primary authN….you probably don't need throttling at the cas layer
[13:14:04 CDT(-0500)] <kickehy> ah very true
[13:14:14 CDT(-0500)] <kickehy> didn't even think about that
[14:04:05 CDT(-0500)] <kickehy> well...i think i may finally have a box for production
[14:04:11 CDT(-0500)] <foxnesn> wow
[14:04:13 CDT(-0500)] <foxnesn> way to go
[14:04:41 CDT(-0500)] <kickehy> foxnesn: i must say, my needs are A LOT simpler than yours
[14:05:42 CDT(-0500)] <foxnesn> heh
[14:05:50 CDT(-0500)] <foxnesn> still though this is an achievement
[14:06:01 CDT(-0500)] <foxnesn> most people just go out and pay for a solution
[14:06:17 CDT(-0500)] <kickehy> higher ed has money for that?
[14:06:19 CDT(-0500)] <kickehy>
[14:06:22 CDT(-0500)] <foxnesn> lol
[14:06:26 CDT(-0500)] <foxnesn> well our school seems to
[14:06:31 CDT(-0500)] <kickehy> must be nice
[14:06:32 CDT(-0500)] <foxnesn> paying insane amounts to sungard
[14:06:40 CDT(-0500)] <kickehy> we just got our budget cut
[14:06:45 CDT(-0500)] <kickehy> by a lot
[14:06:50 CDT(-0500)] <foxnesn> that bites
[14:06:54 CDT(-0500)] <kickehy> we used to get whatever we wanted
[14:07:12 CDT(-0500)] <foxnesn> :/
[14:08:51 CDT(-0500)] <kickehy> we are a 1:1 laptop campus though
[14:08:59 CDT(-0500)] <foxnesn> ??
[14:09:05 CDT(-0500)] <shintaku> what application server do you guys use for jasig-cas?
[14:09:08 CDT(-0500)] <shintaku> tomcat?
[14:09:17 CDT(-0500)] <kickehy> we "give" each student a laptop that comes here
[14:09:37 CDT(-0500)] <serac> Tomcat and derivates like JBoss AS.
[14:09:45 CDT(-0500)] <foxnesn> oh that's nice
[14:10:08 CDT(-0500)] <serac> shintaku: That's all we formally support, but other folks deploy on Websphere and the other commerical JEE containers.
[14:10:11 CDT(-0500)] <shintaku> serac: thanks
[14:10:15 CDT(-0500)] <serac> np
[14:10:31 CDT(-0500)] <kickehy> foxnesn: but since BYOD is getting so popular, I can see it disappearing
[14:10:39 CDT(-0500)] <kickehy> in the near future
[14:10:52 CDT(-0500)] <shintaku> one more question. jasig-cas can enforce password changes, right?
[14:12:59 CDT(-0500)] <serac> Using an experimental feature, yes.
[14:13:21 CDT(-0500)] <serac> Note you could customize CAS to do this via some alternative means; we do this and other big institutions do it.
[14:13:44 CDT(-0500)] <serac> The "experimental" feature is slated for inclusion in a future release, but it's undergoing active dev.
[14:13:59 CDT(-0500)] <serac> Search the cas-user/cas-dev archives for more info.
[14:14:15 CDT(-0500)] <serac> Also, https://wiki.jasig.org/display/CAS/CAS+Roadmap.
[14:14:25 CDT(-0500)] <shintaku> thanks again
[14:14:28 CDT(-0500)] <serac> "LDAP Password Policy"
[14:14:32 CDT(-0500)] <serac> np
[14:28:06 CDT(-0500)] <kickehy> just wanted to double check with you guys, since you all have implemented cas and actually know what you're talking about....but I've implemented services management, integraged login via ldaps, force tomcat to use ssl, login throttling done via Active Directory...anything else to enforce security?
[14:30:50 CDT(-0500)] <kickehy> s/Active Directory/Group Policy
[14:39:09 CDT(-0500)] <serac> Sounds complete to me. While HA isn't strictly part of security policy, availability matters with authentication systems.
[14:40:14 CDT(-0500)] <kickehy> very true
[14:41:38 CDT(-0500)] <kickehy> serac: thanks
[14:41:42 CDT(-0500)] <serac> np
[14:41:55 CDT(-0500)] <kickehy> serac: are you Marvin?
[14:43:10 CDT(-0500)] <kickehy> is there any documentation on customizing the login page?
[14:43:22 CDT(-0500)] <serac> I'm Marvin.
[14:43:33 CDT(-0500)] <kickehy> nice...just was curious
[14:43:35 CDT(-0500)] <serac> Documentation on theming CAS beyond the simplistic is fairly poor.
[14:44:05 CDT(-0500)] <kickehy> Ah..I think it would be nice to just put our logo on there
[14:44:15 CDT(-0500)] <kickehy> i suppose i could replace the jisag gif
[14:44:51 CDT(-0500)] <serac> You can do that by simply editing CSS I believe.
[14:45:08 CDT(-0500)] <kickehy> mmmk
[14:45:45 CDT(-0500)] <serac> /cas-server-webapp/src/main/webapp/css/cas.css
[14:55:50 CDT(-0500)] <foxnesn> ill be getting into HA once i figure out this password self service crap
[14:56:46 CDT(-0500)] <foxnesn> atilling must be Andrew Tillinghast
[14:56:58 CDT(-0500)] <foxnesn> i bet he can help me with webflow