Prior to version 5.x of CAS, JSTL was used via JSP pages and it was easy to extend the CAS 2.0 protocol to release attributes as a snippet for release was provided in the documentation.
If you have recently upgraded to the 5.x version, you might have noticed that the templating engine has changed to Thymeleaf 2.1 which uses html pages instead of jsp, and there is no longer a helpful snippet of code to extend the CAS 2.0 Protocol in the documentation to release attributes. Granted, the 3.0 protocol releases attributes by default, but you might need to provide auth services to a few end points that don’t use the 3.0 protocol.
After a short while of groking Thymeleaf, I came up with the following code to release whatever attributes you give it, under the CAS 2.0 Protocol. Any attributes that are lists, will be split on “, ” and release as an array of elements.
The older attribute processor could actually notice that an attribute was a list and split it easily; however, in 5.x all the attributes under the 2.0 protocol are provided as a string of “attribute name=value”, which requires a bit more processing.
Also, the split function is by a single character only, so, that being the case I did a cheap move of replacing “, ” with “|” and splitting on “|”. This should work for most group lists and standard lists, not splitting the space in a display name or between DN elements. Though it is possible that “|” might be in the list already as it is a valid character for Group names in AD, my company just happens to not have groups with this character in the name or their DN. Yours might and you might need to pick a different character.
File: casServiceValidationSuccess.html
Image of the code because it refused to paste in right
You can download the html here
It’s not the best code in the world, but hopefully, it will save some of you a few hours of your life so you can get on to the next problem/project sooner.
Technical Blogging of the Fuzzy IT Kind 
Thank you for this article. I am facing the problems while upgrading my CAS server from 4.0.0 to 5.1.3. I am not getting the correct steps for upgrade the cas. This is first time I am working on the CAS. So could you please help me to resolve my probles
Hi Kumar,
Upgrading from 4.0 to 5.x is a bit challenging. But the changes are not too bad to deal with. First, you’ll want to make sure your pom.xml is pointing to the new version (I just went to 5.2 myself). Here’s my pom.xml for reference https://www.dropbox.com/s/gl6hliwh0qeffcg/pom.xml?dl=0
From there you will want to look over your cas.properties file as some of the names have changed. For example any key like cas.tgc.encryptionKey is now cas.tgc.crypto.encryption.key
Also if you have any theme customizations, version 5.x has moved JSP to thymeleaf (2.x for CAS 5.1.x and 3.x for CAS version 5.2.x), this means if you edited the CAS 2.0 protocol page to release attributes, you will need to do that again as the language is different. But, I did write an article on that too, so you can just copy and past that code 🙂
If you need any other help, let me know and I’ll answer as best I can.
Hi Kogenta,
Thank you very much for the reply. I really need very much help in this. As This is task given to me and I am working on it from last one month. We have a linux server with CAS 4.0.0 authentication and tomcat 7 and we want to upgrade the cas on 5.x. Let me explain you the steps that I have performed.
1) I have downloaded the cas-overlay-template.
2) copy that cas-0verlay on the cas server in /home directory.
3) used the command .\mvnw clean
4) .\build.sh package
After this step we got the cas.war file and I have put the cas.war file under tomcat/webapps but its not working and getting 404 error.
5) .\build.sh run
When I fire this command and try to run the cas on maven but getting the error saying “port 8443 is not free and used with some other service”.
I request you to please help me to resolve this issue. I will be very thankful to you.
Please let me know if any thing else is required.
Note: I have sent the same email before. I am not sure you got that one or not because that email I have sent you form my office and not visible from my home.
Thanks,
VK
Check your cas.properties file, you might have told cas to use the tomcat server built in to it, which would cause the error your seeing.
Here is how I upgraded
1. make a directory under /opt for cas5 builds (mkdir /opt/cas5 )
2. install maven 3 if you don’t already have it (apt-get install maven3)
3. Place the pom.xml file in /opt/cas5
4. cd to /opt/cas5
5. build the pom.xml with the command “mvn clean package”
6. stop tomcat (service tomcat7 stop)
7. create a softlink from to the cas.war file generated in /opt/cas5/target to /var/lib/tomcat7/webapps
7.1 cd to /var/lib/tomcat7/webapps
7.2 ln -s /opt/cas5/target/cas.war cas.war
8. make the following folders
8.1 /etc/cas
8.2 /etc/cas/config (your cas.properties will go here)
8.3 /etc/cas/services (your json service definitions will go here)
9. Place this cas.properties file (https://www.dropbox.com/s/hfol151ckj9mhjg/cas.properties?dl=0) under /etc/cas/config (you’ll need to edit it to fit your setup, and you’ll need to fill out the encryption keys. Though you can comment those out and cas will generate them for you. Then you can just copy and past them into your config file from the logs)
10. make the directory /var/log/cas if it doesn’t already exist (mkdir /var/log/cas)
11. set it’s permissions to tomcat7 (chown tomcat7:tomcat7 /var/log/cas)
12. Copy this log4j2.xml (https://www.dropbox.com/s/w0qv6aduwkzrxk8/log4j2.xml?dl=0) to /etc/cas/config
Note: this will cause two errors to display in the catalina.out log file during tomcat start up. This occurs because Spring Boot 1.5.x is incompatible with Log4J 2.x, but it still works anyway and is what cas uses
13. (optional) if you are releasing any attributes via the CAS 2.0 protocol, you will need to place the following file under /opt/cas5/src/main/resources/templates/protocol/2.0 (dropbox file link: https://www.dropbox.com/s/15kscyk0iqd5gpu/casServiceValidationSuccess.html?dl=0)
CAS 4.x used JST for it’s web pages, but CAS 5.x uses Thymeleaf 2, and Thymeleaf 3 for CAS 5.2
13.1 build the package again (cd /opt/cas5 followed by mvn clean package)
14. Wil your cas.war build and all the config files in place, start tomcat7 “service tomcat7 start”
14.1 (optional) in another window, tail the catalina.out log file (tail -f /var/log/tomcat7/catalina.out)
If everything is good, your tomcat server should start up and cas should load.
Also, I just found this while poking around for a better way to secure the /status endpoint and it would probably be pretty helpful https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html
Hi Kogenta,
Thank you very much for providing me the detailed information on this and quick response.I am performing the same steps as mentioned by you. I just wanted to know about the ldap information and certificate information. I dont have LDAP on this server then I should comment the lines where ldap information is required.
==================================================
#========================================
# LDAP Auth
#========================================
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://your-ldap-server.example.com
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].useStartTLS=false
cas.authn.ldap[0].trustedCertificates=file:///path/to/server/cert.pem
cas.authn.ldap[0].bindDn=
cas.authn.ldap[0].bindCredential=
cas.authn.ldap[0].baseDn=dc=example,dc=com
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
#construct login as username@highline.edu
cas.authn.ldap[0].dnFormat=%s@example.com
#principal id and attributes
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributeList=sAMAccountName,dn,sn,cn,givenname,memberOf,mail,displayName
===================================================
and the points where they have requested for keys:
========================================
==========================================
#=======================================
# Spring Webflow
#=======================================
cas.webflow.crypto.signing.key=
cas.webflow.crypto.signing.keySize=512
cas.webflow.crypto.encryption.keySize=16
cas.webflow.crypto.encryption.key=
cas.webflow.crypto.alg=AES
#=======================================
# SSO Cookie Generation & Security
#=======================================
# Do note that the following settings MUST be generated per deployment.
# The encryption secret key. By default, must be a octet string of size 256.
cas.tgc.crypto.encryption.key=
# The signing secret key. By default, must be a octet string of size 512.
cas.tgc.crypto.signing.key=
cas.tgc.crypto.enabled=true
======================================
I really appreciate your help on this.
Thanks,
Varinder Kumar
I have just restarted the tomcat after performing all the steps and getting the below mentioned error:
———————————————————————————————-
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=384M; support was removed in 8.0
Dec 22, 2017 2:52:33 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Dec 22, 2017 2:52:34 PM org.apache.coyote.AbstractProtocolHandler init
INFO: Initializing ProtocolHandler [“http-bio-8070”]
Dec 22, 2017 2:52:34 PM org.apache.coyote.AbstractProtocolHandler init
INFO: Initializing ProtocolHandler [“ajp-bio-8009”]
Dec 22, 2017 2:52:34 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1153 ms
Dec 22, 2017 2:52:34 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Dec 22, 2017 2:52:34 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.8
Dec 22, 2017 2:52:34 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
Dec 22, 2017 2:52:35 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/home/tomcat/webapps/cas/WEB-INF/lib/javax.servlet-api-3.1.0.jar) – jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
Dec 22, 2017 2:52:36 PM org.apache.catalina.startup.HostConfig deployWAR
SEVERE: Error deploying web application archive cas.war
org.apache.tomcat.util.bcel.classfile.ClassFormatException: Invalid byte tag in constant pool: 18
at org.apache.tomcat.util.bcel.classfile.Constant.readConstant(Constant.java:131)
at org.apache.tomcat.util.bcel.classfile.ConstantPool.(ConstantPool.java:60)
at org.apache.tomcat.util.bcel.classfile.ClassParser.readConstantPool(ClassParser.java:209)
at org.apache.tomcat.util.bcel.classfile.ClassParser.parse(ClassParser.java:119)
at org.apache.catalina.startup.ContextConfig.processAnnotationsStream(ContextConfig.java:1908)
at org.apache.catalina.startup.ContextConfig.processAnnotationsJar(ContextConfig.java:1797)
at org.apache.catalina.startup.ContextConfig.processAnnotationsUrl(ContextConfig.java:1756)
at org.apache.catalina.startup.ContextConfig.processAnnotations(ContextConfig.java:1742)
at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1245)
at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:874)
at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:317)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:89)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4974)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:812)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:787)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:607)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:925)
at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:723)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
Could you please take a look
Thanks
Varinder Kumar
Yeah, if you’re not using LDAP, you can just comment out all the cas.authn.ldap[0] and cas.auth.attributeRepository lines. Though cas.authn.attributeRepository.defaultAttributesToRelease might be good to keep around if implement another backend, beyond the test user.
Hi Kogenta,
I really very thankful to you. With your support and help I have successfully deployed the CAS and successfully able to open the CAS portal. I am feeling very happy.
Now I have last 2 concerns:
1) In which file I will have to add the credentials and what are the test credentials to test the login. As I have used casuser as username and Mellon as password however It is showing invalid credentials.
2) In which CAS file I will have to add the service Url. So that after verify the credentials on cas it redirect to the service url automatically.
Again Thanku so much..
Thanks,
Varinder Kumar
I’m glad to hear you have CAS up and can see your portal page. Sorry for the delay in getting back to you. I’ve been busy with holiday things.
The credentials you have for the test user are correct. If you want to use the test user account, you’ll need comment out this line in your cas.properties as it disables the test user
### — Disable built in cas user — ###
cas.authn.accept.users=
As for the service URL, this should be provided by the client as a parameter in the URL. So the URL when accessing your login page should look something like https://your-cas.server.com/cas/login?service=https://some-service.example.com
If you haven’t already, you will want to define your JSON service definition under /etc/cas/services. CAS has a built in one that will be loaded by default if you don’t have one defined.
So for this example above, you’ll want a JSON service definition like this https://www.dropbox.com/s/7om2n6v4pxlnqx4/Example-100.json?dl=0
You’ll see that the serviceID attribute will match https://some-service.example.com, with anything coming after it in the url and that the file name Example-100.json includes the id attribute in the name (this is required by CAS).
Finally if the user successfully authenticates, wether using the built in service defintion or the one I linked, they will be automatically redirected to the url in the given service parameter, from the client.
I hope this helps address your last two concerns. Have a good new years.
Happy New Year Sir!
I hope 2018 going great for you.
Thank you very much for helping me to resolve this task. I have completed all the changes and everything is working fin. I have added the username and password i.e casuser and Mellon in cas.properties:
### — Disable built in cas user — ###
cas.authn.accept.users=casuser:Mellon
I did not make any changes under JSON file however I am successfully able to redirect to my application as it is by default referring to the all the url’s.
Everything is working fine now. Thanks again.
Best,
Varinder Kumar