• https://apereo.github.io/cas/7.0.x/planning/Architecture.html
• https://apereo.github.io/cas/7.0.x/planning/Installation-Requirements.html
• https://apereo.github.io/cas/developer/Contributor-Guidelines.html
• https://apereo.github.io/cas/7.0.x/protocol/CAS-Protocol.html

autres

• https://fawnoos.com/2023/12/15/cas70x-gettingstarted-overlay/#google_vignette
• https://dzone.com/articles/installing-and-debugging-an-apereo-cas-application
• https://www.esup-portail.org/wiki/display/CAS/Retour+de+l%27URN+sur+mise+en+place+de+CAS+6.0.4
• https://github.com/dacurry-tns/deploying-apereo-cas/blob/gh-pages/pages/introduction/overview.md
• https://dacurry-tns.github.io/deploying-apereo-cas/pdf/deploying-apereo-cas.pdf
• https://fawnoos.com/2020/11/09/cas63-gettingstarted-overlay/

Exemple de deploiement d'un serveur CAS 7.x sur une distribution AlamLinux 9 avec les produits natifs de cette distribution ⇒ JVM openjdk 17 de base , passage en JDK 21

• https://apereo.github.io/cas/7.0.x/planning/Installation-Requirements.html

[root@cas7 ~]# cat /etc/redhat-release 
AlmaLinux release 9.3 (Shamrock Pampas Cat)

• https://shape.host/resources/how-to-install-java-openjdk-on-almalinux-9

[root@cas7 ~]# dnf install java-17-openjdk java-17-openjdk-devel

Installed:
  java-21-openjdk-1:21.0.3.0.9-1.el9.alma.1.x86_64     java-21-openjdk-devel-1:21.0.3.0.9-1.el9.alma.1.x86_64     java-21-openjdk-headless-1:21.0.3.0.9-1.el9.alma.1.x86_64  

[root@cas7 ~]# alternatives --config java

There are 2 programs which provide 'java'.

  Selection    Command
-----------------------------------------------
*+ 1           java-17-openjdk.x86_64 (/usr/lib/jvm/java-17-openjdk-17.0.11.0.9-2.el9.x86_64/bin/java)
   2           java-21-openjdk.x86_64 (/usr/lib/jvm/java-21-openjdk-21.0.3.0.9-1.el9.alma.1.x86_64/bin/java)

Enter to keep the current selection[+], or type selection number: 2

[root@cas7d ~]# java -version
openjdk version "21.0.3" 2024-04-16 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.3.0.9-1) (build 21.0.3+9-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.3.0.9-1) (build 21.0.3+9-LTS, mixed mode, sharing)

redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 10 en tar.gz

• https://www.rosehosting.com/blog/how-to-install-and-secure-tomcat-10-on-almalinux/

[root@cas7 ~]# dnf install httpd 
[root@cas7 ~]# systemctl start httpd
[root@cas7 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

[root@cas7 ~]# mkdir /opt/tomcat
[root@cas7 ~]# cd /opt
[root@cas7 opt]# wget https://downloads.apache.org/tomcat/tomcat-10/v10.1.20/bin/apache-tomcat-10.1.20.tar.gz -O tomcat-10.1.20.tar.gz 
[root@cas7 opt]# tar xzvf tomcat-10.1.20.tar.gz -C /opt/tomcat --strip-components=1

[root@cas7 opt]# useradd -m -U -d /opt/tomcat -s /bin/false tomcat
[root@cas7 opt]# chown tomcat:tomcat -R /opt/tomcat/

gestion du service par systemd

[root@cas7 opt]# touch /etc/systemd/system/tomcat.service
[root@cas7 opt]# vim  /etc/systemd/system/tomcat.service
[root@cas7 opt]# systemctl daemon-reload
[root@cas7 opt]# systemctl start tomcat && systemctl enable tomcat
Created symlink /etc/systemd/system/multi-user.target.wants/tomcat.service → /etc/systemd/system/tomcat.service.

avec system/tomcat.service

[root@cas7 opt]# cat /etc/systemd/system/tomcat.service
[Unit]
Description=Apache Tomcat
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"

Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1536M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

ExecReload=/bin/kill $MAINPID
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

tomcat listen on port 8080 , on ouvre ce port pour test inital avant reverse proxy-apache a notre station d'admin et localhost

 [root@cas7]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.11/32" port port=8080 protocol=tcp log prefix="tomcat8080" accept'
[root@cas7 ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="127.0.0.1" port port=8080 protocol=tcp log prefix="tomcat8080" accept'
[root@cas7]# firewall-cmd --reload

on peux alors tester un acces direct a notre serveur tomcat sur le port 8080

• http://cas7.mon-domain.fr:8080/

si on souhaite autoriser l'acce à l'application manager il faut ajouter des roles et usernames dans tomcat-users.xml

  <role rolename="manager-gui"/>
  <role rolename="manager-status"/>

  <!-- jehan usernames -->
  <user username="admin" password="secret1" roles="manager-gui"/>
  <user username="admstat" password="secret2" roles="manager-status"/>

on se sert d'apache en reverse-proxy (frontal) pour tomcat, il gerera notament le service TLS car c'est le mod_ssl apache qui est en frontal

[root@cas7 ~]# touch /etc/httpd/conf.d/tomcat.conf
[root@cas7 ~]# vim  /etc/httpd/conf.d/tomcat.conf

avec ce fichier de conf apache reverse-proxy-tomcat on gere les acces http , ici exemple en AJP

<VirtualHost *:80>
ServerName cas7mt.imtbs-tsp.eu
ProxyRequests off
ProxyPass /cas ajp://127.0.0.1:8009/idp retry=0
ProxyPassReverse /cas ajp://127.0.0.1:8009/idp
ProxyPass /manager ajp://127.0.0.1:8009/manager
ProxyPassReverse /manager ajp://127.0.0.1:8009/manager
</VirtualHost>

Exemple en http pour le httpS ⇒ utilisé en production

#httpS
<VirtualHost *:443>
ServerName cas7mt.imtbs-tsp.eu
ProxyRequests off
ProxyPass /cas http://127.0.0.1:8080/idp retry=0
ProxyPassReverse /cas http://127.0.0.1:8080/idp
ProxyPass /manager http://127.0.0.1:8080/manager
ProxyPassReverse /manager http://127.0.0.1:8080/manager
</VirtualHost>

Pour nginx : https://computingforgeeks.com/install-apache-tomcat-on-centos-rocky-linux/

Si on utilise AJP comme protocol intermedaire entre apache-httpd et apchache-tomcat il faut configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat , ici avec 2 applications redirigées, notre futur /cas et le /manager de tomcat

[root@cas7 ~]# cat /etc/httpd/conf.d/tomcat.conf
ProxyPass /cas ajp://127.0.0.1:8009/idp retry=0
ProxyPassReverse /cas ajp://127.0.0.1:8009/idp
ProxyPass /manager ajp://127.0.0.1:8009/manager
ProxyPassReverse /manager ajp://127.0.0.1:8009/manager

activer le connecteur AJP coté tomcat

[root@cas7 opt]# vim /opt/tomcat/conf/server.xml 
 <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!-- uncomment AJP -->
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443"
               maxParameterCount="1000"
               secretRequired="false" 

sans l'option secretRequired=“false” (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat , sinon positioner un secret .

lancement httpd et verification de la presence du module AJP

[root@casx opt]# systemctl start httpd.service 
[root@casx opt]# httpd -M | grep ajp

 proxy_ajp_module (shared)

acces sans le port 8080 :

http://casx.mondomain.fr/manager/html

puis en https via le proxy-ajp sans preciser du port 443 dans l'url

https://casx.mondomain.fr/manager/html

installer le module si pas deja present

[root@cas7 ~]# dnf install mod_ssl

penser a ouvrir le firewall sur le port 443 service httpS

# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/16" service name="https" log prefix="https_myNet" accept'
success

configurer le module SSL/TLS avec nos certificats

# grep "^[^#;]" /etc/httpd/conf.d/ssl.conf | grep SSL
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/letsencrypt/live/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/chain.pem

[root@cas7 ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat

acces à la webapps manager, autoriser notre @IP dans webapps/manager/META-INF/context.xml

[root@cas7 opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig
20c20
<          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" />
---
>          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

compte admin d'acces au l'appli manager/html (http://casx.domain.fr:8080/manager/html , le :8080 sera effacé par la suite en mettant en place d'un proxy-ajp apache en frontal de tomcat)

[root@cas7 opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig
44,46d43
<   <role rolename="manager-gui"/>
<   <role rolename="admin-gui"/>
<   <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>

rich rules le temps de la dev pour ouvrir seulement a un subnet local

[root@cas opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept'
success
[root@cas opt]# firewall-cmd --reload
success

[root@cas opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept'
success
[root@cas opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept'
success
[root@cas opt]# firewall-cmd --reload
success

ou plus generalement

firewall-cmd –zone=public –permanent –add-port=8080/tcp

le serveur est maintenant accessible , exemple

http://ssocas6.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)

optionnellement on peut aussi recopier la definition du service ssh vers un service tomcat afin d'ouvrir via un service firewalld notre port tomcat 8080 .

[root@cas ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/tomcat.xml
[root@cas ~]# vim /etc/firewalld/services/tomcat.xml
[root@cas ~]# cat /etc/firewalld/services/tomcat.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>tomcat</short>
  <description>tomcat is a java servlet container/server</description>
  <port protocol="tcp" port="8080"/>
</service>

dans cette option a base de service on ajoute de maniere permanente (disponible aux prochains boot) le service tomcat

[root@cas ~]# firewall-cmd --zone=public --add-service=tomcat
success

malgres tout, pour obtenir cette ouverture de maniere stable, un ajout du service dans la zone active (ici public) est necessaire

[root@cas ~]# grep tomcat /etc/firewalld/zones/public.xml
  <service name="tomcat"/>
  
[root@cas ~]# systemctl restart firewalld.service 

il sera necessaire d'avoir maven et git entre autre, installation des packages

[root@cas ~]# dns install git maven

json interpreter :

• https://jqlang.github.io/jq/

[root@cas7 ~]# dnf install jq

on commence par recuperer le template overlay de CAS

cf https://apereo.github.io/cas/7.0.x/installation/WAR-Overlay-Installation.html

[root@cas7 opt]# mkdir cas-src
[root@cas7 opt]# cd cas-src/
[root@cas7 cas-src]# git clone https://github.com/apereo/cas-overlay-template
Cloning into 'cas-overlay-template'...
remote: Enumerating objects: 2632, done.
remote: Counting objects: 100% (588/588), done.
remote: Compressing objects: 100% (259/259), done.
remote: Total 2632 (delta 329), reused 530 (delta 296), pack-reused 2044
Receiving objects: 100% (2632/2632), 11.09 MiB | 22.63 MiB/s, done.
Resolving deltas: 100% (1396/1396), done.

on se retrouve avec cette distribution

[root@cas7 cas-src]# cd cas-overlay-template/
[root@cas7 cas-overlay-template]# ls
build.gradle        Dockerfile  gradle             gradlew      helm         lombok.config       Procfile   README.md        src
docker-compose.yml  etc         gradle.properties  gradlew.bat  LICENSE.txt  openrewrite.gradle  puppeteer  settings.gradle  system.properties

pour lister les dependencies dispnible lancer ./gradlew dependencies , la premiere une version integré de gradle est téléchargé puis utilisé, attention cela demande beaucoup de memoire, arreter tomcat et disposer de 3Go .

[root@cas7d cas-overlay-template]# ./gradlew dependencies
Downloading https://services.gradle.org/distributions/gradle-8.8-bin.zip
.............10%.............20%.............30%.............40%.............50%.............60%..............70%.............80%.............90%.............100%

Welcome to Gradle 8.8!

Here are the highlights of this release:
 - Running Gradle on Java 22
 - Configurable Gradle daemon JVM
 - Improved IDE performance for large projects

• https://github.com/apereo/cas/releases

on choisis ici la version 7.0.4

[root@cas7 cas-overlay-template]# grep 7.0.4 gradle.properties
version=7.0.4
cas.version=7.0.4

et downgrade de springBootVersion du fait du passage de cas version version=7.1.0-SNAPSHOT vers 7.0.4 ci-dessus ,

sinon erreur de Class Not Found : “org.springframework.boot.actuate.autoconfigure.sbom.SbomEndpointAutoConfiguration caused by ClassNotFoundException”

#springBootVersion=3.3.0
springBootVersion=3.2.6

editer le fichier build.gradle pour y ajouter deux dependances pour le support-ldap et support-json, cf ci-dessous(+) :

[root@cas7 cas-overlay-template]# diff -ur build.gradle.dist build.gradle
--- build.gradle.dist	2024-06-01 22:54:48.118596940 +0200
+++ build.gradle	2024-06-01 22:57:50.385382570 +0200
@@ -262,6 +262,10 @@
     implementation "org.apereo.cas:cas-server-core-api-configuration-model"
     implementation "org.apereo.cas:cas-server-webapp-init"
 
+// ADD support-ldap and json DISI 
+    implementation "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-support-json-service-registry:${'cas.version'}"
+// DISI
     if (project.hasProperty("appServer")) {
         implementation "org.apereo.cas:cas-server-webapp-init${project.appServer}"
     }

[root@cas7 cas-overlay-template]# ./gradlew copyCasConfiguration --no-daemon
To honour the JVM settings for this build a single-use Daemon process will be forked. For more on this, please refer to https://docs.gradle.org/8.8/userguide/gradle_daemon.html#sec:disabling_the_daemon in the Gradle documentation.
Daemon will be stopped at the end of the build 
Configuration on demand is an incubating feature.

BUILD SUCCESSFUL in 8s
1 actionable task: 1 executed

[root@cas7d cas-overlay-template]# ls /etc/cas/config/
cas.properties  log4j2.xml

nous allons editer le fichier etc/cas/config/cas.properties et y definir les parametre d'acces a notre LDAP serveur

[root@cas7d cas-overlay-template]# cat /opt/cas-src/cas-overlay-template/etc/cas/config/cas.properties
cas.server.name=https://cas7.domain.fr:443
cas.server.prefix=${cas.server.name}/cas

logging.config=file:/etc/cas/config/log4j2.xml

cas.authn.accept.users=
### Connexion LDAP
##cas.authn.ldap\[0\].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap\[0\].type=AUTHENTICATED
cas.authn.ldap\[0\].ldapUrl=ldaps://ldap.domain.fr
cas.authn.ldap\[0\].baseDn= dc=domain,dc=fr
cas.authn.ldap\[0\].subtreeSearch=true
#cas.authn.ldap\[0\].searchFilter=uid=\{user\}
cas.authn.ldap\[0\].searchFilter=(&(uid=\{user\})(supannRessourceEtat={ACCOUNT}:*))
cas.authn.ldap\[0\].principalAttributeList=cn,sn,givenName,displayName,mail,uid
 
### Credential to connect to LDAP
cas.authn.ldap\[0\].bindDn=CN=binder,ou=dsa,dc=domain,dc=fr
cas.authn.ldap\[0\].bindCredential=!SECRET!

### Registering Applications 
cas.serviceRegistry.json.location: file:/etc/cas/services

# Required: false
# Type: java.lang.Long
# Owner: org.apereo.cas.configuration.model.core.ticket.PrimaryTicketExpirationPolicyProperties
# Module: cas-server-core-tickets
# Maximum time in seconds tickets would be live in CAS server.
# jehan 8H -> 10H
cas.ticket.tgt.primary.max-time-to-live-in-seconds: 36000


# Required: false
# Type: java.lang.Long
# Owner: org.apereo.cas.configuration.model.core.ticket.PrimaryTicketExpirationPolicyProperties
# Module: cas-server-core-tickets
# Time in seconds after which tickets would be destroyed after a period of inactivity.
# jehan 2H -> 4H
cas.ticket.tgt.primary.time-to-kill-in-seconds: 14400


### Monitor Status 
#management.endpoints.web.base-path=/actuator
#management.endpoints.web.exposure.include=status
#management.endpoint.status.enabled=true

#cas.monitor.endpoints.endpoint.status.access=IP_ADDRESS
#cas.monitor.endpoints.endpoint.status.required-ip-addresses=127.0.0.1

### Monitor Heath Info 
#management.endpoints.web.exposure.include=health,info

#management.endpoint.health.enabled=true
#management.endpoint.health.show-details=always

#management.endpoint.info.enabled=true

#cas.monitor.endpoints.endpoint.health.access=AUTHENTICATED
#cas.monitor.endpoints.endpoint.info.access=ANONYMOUS

# Required: false
# Type: java.lang.Boolean
# Owner: org.apereo.cas.configuration.model.core.authentication.AuthenticationAttributeReleaseProperties
# Module: cas-server-support-validation
# Whether CAS authentication/protocol attributes should be released as part of ticket validation.
cas.authn.authentication-attribute-release.enabled: true

[root@cas cas-overlay-template]# mkdir /var/log/cas
[root@cas cas-overlay-template]# chown -R tomcat /var/log/cas

Modifier le fichier log4j2.xml dans le dossier /opt/cas-overlay-template-master/etc/cas/config

[root@cas7 cas-overlay-template]# diff -ur etc/cas/config/log4j2.xml /etc/cas/config/log4j2.xml
--- etc/cas/config/log4j2.xml	2024-06-01 21:57:48.824138676 +0200
+++ /etc/cas/config/log4j2.xml	2024-06-02 16:23:45.994236163 +0200
@@ -6,7 +6,7 @@
 <!-- Specify the refresh internal in seconds. -->
 <Configuration monitorInterval="5" packages="org.apereo.cas.logging">
     <Properties>
-        <Property name="baseDir">/var/log</Property>
+	    <Property name="baseDir">/var/log/cas</Property>
         <Property name="cas.log.level">info</Property>
         <Property name="spring.webflow.log.level">warn</Property>

les sources incorporent une version de gradle Wrapper (gradlew), il n'est dont pas necessaire d'installer gradle par ailleurs, le wrapper va aller chercher lui meme gradle

• https://fr.wikipedia.org/wiki/Gradle

la definition des actions et parametrages se trouvent dans les build.gradle et gradle.properties

Gradle build permet d'executer certains goals/commands de Gradle (aka gradlew) , commençons par la command clean qui va dans un premier temps recuperer gradle et autres dependances pour notre projet .

l'option –no-daemon permet de terminer le process gradlew, autrement il reste en memoire et la sature rapidement .

[root@cas7 cas-overlay-template]#  ./gradlew clean copyCasConfiguration build --no-daemon
To honour the JVM settings for this build a single-use Daemon process will be forked. For more on this, please refer to https://docs.gradle.org/8.8/userguide/gradle_daemon.html#sec:disabling_the_daemon in the Gradle documentation.
Daemon will be stopped at the end of the build 
Configuration on demand is an incubating feature.

BUILD SUCCESSFUL in 36s
9 actionable tasks: 8 executed, 1 up-to-date

[root@cas7 cas-overlay-template]#  ls -l build/libs/cas.war
-rwxr--r-- 1 root root 131410153 Jun  2 14:56 build/libs/cas.war

avec une simple copie du cas.war dans l'arborescence webapps de tomcat , l'auto-deploy va deployer le service

[root@cas7 cas-overlay-template]# cp /opt/cas-src/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/

[root@cas7 cas-overlay-template]# systemctl start tomcat.service 

[root@cas7 cas-overlay-template]# ls -ltr /opt/tomcat/webapps/
drwxr-x---  3 tomcat tomcat      4096 Apr 21 21:40 ROOT
drwxr-x--- 16 tomcat tomcat      4096 Apr 21 21:40 docs
drwxr-x---  7 tomcat tomcat      4096 Apr 21 21:40 examples
drwxr-x---  6 tomcat tomcat      4096 Apr 21 21:40 host-manager
drwxr-x---  6 tomcat tomcat      4096 Apr 21 21:40 manager
drwxr-x---  7 tomcat tomcat      4096 May  4 21:59 idp
-rwxr--r--  1 root   root   131410153 Jun  2 16:19 cas.war
drwxr-x---  5 tomcat tomcat      4096 Jun  2 16:19 cas

on peux voir en detail le deploiement et lancement de CAS par tomcat dans les logs catalina.out

06-Jun-2024 19:06:21.431 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/cas.war]
06-Jun-2024 19:06:29.068 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
2024-06-06 19:06:30,517 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <Validating CAS property sources and configuration for active profiles [[standalone]]. Please wait...>
2024-06-06 19:06:30,529 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <Validated CAS property sources and configuration successfully.>


2024-06-06 19:06:32,509 DEBUG [org.springframework.boot.devtools.restart.Restarter] - <Creating new Restarter for thread Thread[#1,main,5,main]>

  ____  ____    ___  ____     ___   ___          __   ____  _____
   /    T|    \  /  _]|    \   /  _] /   \        /  ] /    T/ ___/
  Y  o  ||  o  )/  [_ |  D  ) /  [_ Y     Y      /  / Y  o  (   \_ 
  |     ||   _/Y    _]|    / Y    _]|  O  |     /  /  |     |\__  T
  |  _  ||  |  |   [_ |    \ |   [_ |     |    /   \_ |  _  |/  \ |
  |  |  ||  |  |     T|  .  Y|     Tl     !    \     ||  |  |\    |
  l__j__jl__j  l_____jl__j\_jl_____j \___/      \____jl__j__j \___j

CAS Version: 7.0.4
CAS Branch: 7.0.x
CAS Commit Id: d41ac9d5e157605fc43d97a77582c2062e864874
CAS Build Date/Time: 2024-04-26T07:43:16.528866Z
Spring Boot Version: 3.2.1
Spring Version: 6.1.2
Java Home: /usr/lib/jvm/java-21-openjdk-21.0.3.0.9-1.el9.alma.1.x86_64
Java Vendor: Red Hat, Inc.
Java Version: 21.0.3
Servlet Version: 6.0
JVM Free Memory: 301 MB
JVM Maximum Memory: 1 GB
JVM Total Memory: 740 MB
OS Architecture: amd64
OS Name: Linux
OS Version: 5.14.0
OS Date/Time: 2024-06-06T19:06:32.626041896
OS Temp Directory: /opt/tomcat/temp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/10.1.20
------------------------------------------------------------

2024-06-06 19:06:32,669 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
2024-06-06 19:06:32,773 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <Validating CAS property sources and configuration for active profiles [[standalone]]. Please wait...>
2024-06-06 19:06:32,833 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <Validated CAS property sources and configuration successfully.>
2024-06-06 19:06:32,835 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following 1 profile is active: "standalone">




2024-06-06 19:06:37,014 INFO [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Watching service registry directory at [/etc/cas/services]>
2024-06-06 19:06:37,019 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory path at [/etc/cas/services]>
2024-06-06 19:06:38,184 INFO [org.apereo.cas.util.CoreTicketUtils] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>
2024-06-06 19:06:38,241 INFO [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST when the web server is restarted. This MAY impact SSO functionality.>
2024-06-06 19:06:39,324 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>
2024-06-06 19:06:39,585 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2024-06-06 19:06:39,594 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [dhlqwvkSDUy92C0JQLOQojfK0iHxc_gw2M2rnFIUi7o] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings:

2024-06-06 19:06:43,801 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <Started CasWebApplicationServletInitializer in 13.811 seconds (process running for 31.402)>
2024-06-06 19:06:43,839 INFO [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [0] service(s) from [JsonServiceRegistry].>
2024-06-06 19:06:43,846 INFO [org.apereo.cas.web.CasWebApplicationReady] - <>
2024-06-06 19:06:43,846 INFO [org.apereo.cas.web.CasWebApplicationReady] - <


 ____     ___   ____  ___    __ __ 
|    \   /  _] /    T|   \  |  T  T
|  D  ) /  [_ Y  o  ||    \ |  |  |
|    / Y    _]|     ||  D  Y|  ~  |
|    \ |   [_ |  _  ||     |l___, |
|  .  Y|     T|  |  ||     ||     !
l__j\_jl_____jl__j__jl_____jl____/ 
                                   
CAS is now running at https://cas7d.imtbs-tsp.eu:443/cas
>
2024-06-06 19:06:43,846 INFO [org.apereo.cas.web.CasWebApplicationReady] - <>
2024-06-06 19:06:43,846 INFO [org.apereo.cas.web.CasWebApplicationReady] - <Ready to process requests @ [2024-06-06T17:06:43.822Z]>
2024-06-06 19:06:43,846 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <Validating CAS property sources and configuration for active profiles [[standalone]]. Please wait...>
06-Jun-2024 19:06:43.860 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/tomcat/webapps/cas.war] has finished in [22,430] ms

maintenant que tout est deployé, nous allons profiter du proxy-ajp d'apache pour renvoyer les requetes https servient par apache vers le context tomcat approrié , ici /cas est renvoyé vers le port ajp en localhost 8009 où tomcat ecoute, idem pour notre applaication tomcat /manager .

[root@cas7 ~]#  cat /etc/httpd/conf.d/cas7.conf 
#ProxyRequests off
ProxyPass /cas ajp://127.0.0.1:8009/cas
ProxyPassReverse /cas ajp://127.0.0.1:8009/cas
ProxyPass /manager ajp://127.0.0.1:8009/manager
ProxyPassReverse /manager ajp://127.0.0.1:8009/manager

sans target (application cliente) specifique , faisons un premier test de connexion CAS afin de valider le service d'authN et la recuperation d'attributs

depuis un navigateur accedons a notre service CAS : https://ssocas6.domain.fr/cas/login

une fois le login/password saisie, on aboutit sur une page d'affichage des attributs, ce qui valide le process d'authentifcation et de recuperation d'information depuis notre annuaire ldap.

on retrouve bien dans catalina.out et dans /var/log/cas/cas/log cet acces .

2021-05-22 10:38:58,242 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Sat May 22 10:38:58 GMT+01:00 2021}
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat May 22 10:38:58 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================

>
2021-05-22 10:39:20,687 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
2021-05-22 10:40:20,690 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>



2021-05-22 10:40:30,750 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2021-05-22 10:40:31,502 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authenticated principal [test] with attributes [{cn=[STUDENT Test], givenName=[Test], mail=[test@telecom.fr], uid=[test]}] via credentials [[UsernamePasswordCredential(username=test, source=null, customFields={})]].>
2021-05-22 10:40:31,504 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: test
WHAT: [UsernamePasswordCredential(username=teststud, source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Sat May 22 10:40:31 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================

>
2021-05-22 10:40:31,554 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: teststud
WHAT: TGT-1-*****oXABZDg6kM-cas6
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat May 22 10:40:31 GMT+01:00 2021
CLIENT IP ADDRESS: 157.19.19.19
SERVER IP ADDRESS: 157.19.19.10
=============================================================

on notera aussi que l'acces au serveur LDAP a été établit au demarrage de l'apllication CAS par tomcat et qu'il se fait bien en TLS/636 avec le binddn definit dans cas.properties

[root@ldap log]# tail -500 ldap.log


May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 ACCEPT from IP=157.19.19.10:35994 (IP=0.0.0.0:636)
May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 TLS established tls_ssf=256 ssf=256
May 22 11:27:55 ldap slapd[2086]: conn=1161 fd=13 TLS established tls_ssf=256 ssf=256
May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" method=128
May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" mech=SIMPLE ssf=0
May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" method=128
May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 RESULT tag=97 err=0 text=
May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 BIND dn="cn=dsi,ou=dsa,dc=int,dc=fr" mech=SIMPLE ssf=0
May 22 11:27:55 ldap slapd[2086]: conn=1161 op=0 RESULT tag=97 err=0 text=

• https://fawnoos.com/blog/ + https://fawnoos.com/tags/?t=Attribute%20Resolution
• https://fawnoos.com/2019/03/15/cas61x-attribute-repositories/
• https://stackoverflow.com/questions/61050686/how-to-get-ldap-user-attributes-with-spnego-and-cas

les appplications clientes autorisées à utiliser notre serveur CAS doivent etre declarée au préalable . cela peut se faire au travers d'un simple fichier de type json .

nous déclarons dans cas.prpoerties le chemin d'acces a ce fichier json

[root@ssocas6 cas-overlay-template]# tail -2 etc/cas/config/cas.properties
### Registering Applications 
cas.serviceRegistry.json.location: file:/etc/cas/services

Il est recommandé de nommer les nouveaux fichiers JSON comme ceci: “serviceName-serviceNumericId.json”

Pour créer l'ID nous utilisons la commande date +%s

[root@ssocas6 cas-overlay-template]# mkdir /etc/cas/services
[root@ssocas6 cas-overlay-template]# cd /etc/cas/services
[root@ssocas6 services]# touch disi_wikis-`date +%s`.json          
[root@ssocas6 services]# vim disi_wikis-1621678622.json 

on peux ensuite ajouter d'autres services (ici un 3eme cf logs CAS [1]) , le serveur CAS lit regulierement le directory /etc/cas/services pour les charger dynamiquement sans necessité de restart de tomcat/cas .

[root@ssocas6 services]# touch dsi_ws_domain1-fr-`date +%s`.json
[root@ssocas6 services]#cat dsi_ws_domain1-fr-1622207781.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://.*.domain1.fr/.*",
"name" : "Dsi_ws-tem-tsp-eu",
"id" : 1622207781,
"evaluationOrder" : 99997
}

logs CAS associés

[1]

2021-05-28 14:18:03,506 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistry].>

pour les regex plus de details sur

• https://apereo.github.io/cas/6.3.x/services/Configuring-Service-Matching-Strategy.html
• https://regex101.com/

./gradlew tasks va nous donner la liste des taches disponibles

[root@ssocas6 cas-overlay-template]# ./gradlew tasks
Starting a Gradle Daemon (subsequent builds will be faster)

> Task :tasks

------------------------------------------------------------
Tasks runnable from root project 'cas'
------------------------------------------------------------

Application tasks
-----------------
bootRun - Runs this project as a Spring Boot application.

Build tasks
-----------
allDependencies - Display a graph of all project dependencies
allDependenciesInsight - Produce insight information for all dependencies
assemble - Assembles the outputs of this project.
bootBuildImage - Builds an OCI image of the application using the output of the bootJar task
bootBuildInfo - Generates a META-INF/build-info.properties file.
bootJar - Assembles an executable jar archive containing the main classes and their dependencies.
bootJarMainClassName - Resolves the name of the application's main class for the bootJar task.
bootRunMainClassName - Resolves the name of the application's main class for the bootRun task.
bootRunSourcesClasses - Assembles boot run sources classes.
bootWar - Assembles an executable war archive containing webapp content, and the main classes and their dependencies.
bootWarMainClassName - Resolves the name of the application's main class for the bootWar task.
build - Assembles and tests this project.
buildDependents - Assembles and tests this project and all projects that depend on it.
buildNeeded - Assembles and tests this project and all projects it depends on.
...
Build Setup tasks
-----------------
init - Initializes a new Gradle build.
wrapper - Generates Gradle wrapper files.

CAS tasks
---------
casVersion - Display the current CAS version
copyCasConfiguration - Copy the CAS configuration from this project to /etc/cas/config
createKeystore - Create CAS keystore
debug - Debug the CAS web application in embedded mode on port 5005
...

• https://fawnoos.com/2020/05/17/cas62x-reloadable-html-views/
• https://fawnoos.com/2021/02/16/cas63-ui-themes/
• https://apereo.github.io/cas/7.0.x/ux/User-Interface-Customization.html

depuis 5.X on est passé de JSP a tymeleaf , on peut visualiser le resultat directement en html sans avoir besoin d'un serveur pour interpreter .

pour personaliser des pages, il faut d'abord les extraires de l'overlay distribué afin de les mettres dans notre environement de personalisations locales

pour ce faire nous allons utiliser la tache gradle listTemplateViews afin de lister l'ensemble des fichiers (css, html, png ..) qui composent la view du formulaire :

[root@cas7 cas-overlay-template]# ./gradlew listTemplateViews | more
Starting a Gradle Daemon, 1 busy Daemon could not be reused, use --status for details
Configuration on demand is an incubating feature.
> Task :generateEffectiveLombokConfig UP-TO-DATE
> Task :compileJava UP-TO-DATE
> Task :validateConfiguration NO-SOURCE
> Task :processResources UP-TO-DATE
> Task :classes UP-TO-DATE
> Task :extractCasBootWarOverlay UP-TO-DATE
> Task :resolveMainClassName UP-TO-DATE
> Task :bootWar UP-TO-DATE
> Task :war SKIPPED
> Task :assemble UP-TO-DATE
> Task :generateTestEffectiveLombokConfig UP-TO-DATE
> Task :compileTestJava NO-SOURCE
> Task :processTestResources NO-SOURCE
> Task :testClasses UP-TO-DATE
> Task :test NO-SOURCE
> Task :check UP-TO-DATE
> Task :build UP-TO-DATE

> Task :unzipWAR
Unzipped WAR into /opt/cas-src/cas-overlay-template/build/app

> Task :unzip
Exploded WAR resources into /opt/cas-src/cas-overlay-template/build/cas-resources

> Task :listTemplateViews

BUILD SUCCESSFUL in 12s
10 actionable tasks: 3 executed, 7 up-to-date
[root@cas7d cas-overlay-template]# ls /opt/cas-src/cas-overlay-template/build/cas-resources
application.properties        git.properties          messages_de.properties  messages_it.properties  messages.properties        messages_sl.properties  messages_vi.properties     services
application.yml               log4j2.xml              messages_es.properties  messages_ja.properties  messages_pt_BR.properties  messages_sv.properties  messages_zh_CN.properties  spring.properties
bootstrap.properties          messages_ar.properties  messages_fa.properties  messages_mk.properties  messages_pt_PT.properties  messages_tr.properties  messages_zh_TW.properties  static
bootstrap.yml                 messages_ca.properties  messages_fr.properties  messages_nl.properties  messages_ru.properties     messages_uk.properties  META-INF                   templates
cas-theme-default.properties  messages_cs.properties  messages_hr.properties  messages_pl.properties  messages_sk.properties     messages_ur.properties  org                        truststore.jks

List des ressources / fichier modifiables

[root@cas7 cas-overlay-template]# ./gradlew listTemplateViews 
Configuration on demand is an incubating feature.

> Task :listTemplateViews
/templates/acct-mgmt/casAccountSignupView.html
/templates/acct-mgmt/casAccountSignupViewComplete.html
/templates/acct-mgmt/casAccountSignupViewCompleted.html
/templates/acct-mgmt/casAccountSignupViewSentInfo.html
/templates/acct/casMyAccountProfile.html
/templates/adaptive-authn/casRiskAuthenticationBlockedView.html
/templates/adaptive-authn/casRiskAuthenticationVerifiedView.html
/templates/admin/casAdminLoginView.html
/templates/aup/casAcceptableUsagePolicyView.html
/templates/consent/casConsentView.html
/templates/delegated-authn/casDelegatedAuthnErrorView.html
/templates/delegated-authn/casDelegatedAuthnSelectionView.html
/templates/delegated-authn/casDelegatedAuthnStopWebflow.html
/templates/delegated-authn/casDynamicDiscoveryView.html
/templates/error.html
/templates/error/400.html
/templates/error/401.html
/templates/error/403.html
/templates/error/404.html
/templates/error/405.html
/templates/error/423.html
/templates/error/casServiceErrorView.html
/templates/error/casUnauthorizedServiceRedirectView.html
/templates/error/casWebflowConfigErrorView.html
/templates/forgot-username/casForgotUsernameSendInfoView.html
/templates/forgot-username/casForgotUsernameSentInfoView.html
/templates/fragments/accountprofileapplications.html
/templates/fragments/accountprofileattributes.html
/templates/fragments/accountprofileauditlog.html
/templates/fragments/accountprofileconsent.html
/templates/fragments/accountprofilemfadevices.html
/templates/fragments/accountprofilenavigation.html
/templates/fragments/accountprofileoverview.html
/templates/fragments/accountprofilesecurityquestions.html
/templates/fragments/accountprofilesessions.html
/templates/fragments/accountprofiletrusteddevices.html
/templates/fragments/footer.html
/templates/fragments/googleanalytics.html
/templates/fragments/header.html
/templates/fragments/includes.html
/templates/fragments/loginProviders.html
/templates/fragments/logindrawer.html
/templates/fragments/loginform.html
/templates/fragments/loginsidebar.html
/templates/fragments/pmlinks.html
/templates/fragments/pwdupdateform.html
/templates/fragments/qrAuthentication.html
/templates/fragments/recaptcha.html
/templates/fragments/scripts.html
/templates/fragments/serviceui.html
/templates/fragments/submitbutton.html
/templates/fragments/unlockaccount.html
/templates/fragments/webAuthnLogin.html
/templates/gauth/casGoogleAuthenticatorConfirmRegistrationView.html
/templates/gauth/casGoogleAuthenticatorLoginView.html
/templates/gauth/casGoogleAuthenticatorRegistrationView.html
/templates/gua/casGuaDisplayUserGraphicsView.html
/templates/gua/casGuaGetUserIdView.html
/templates/interrupt/casInterruptView.html
/templates/inwebo/casInweboCheckResultView.html
/templates/inwebo/casInweboErrorView.html
/templates/inwebo/casInweboMAAuthnView.html
/templates/inwebo/casInweboSelectAuthnView.html
/templates/inwebo/casInweboVAAuthnView.html
/templates/layout.html
/templates/login-error/casAccountDisabledView.html
/templates/login-error/casAccountLockedView.html
/templates/login-error/casAccountUnlockedView.html
/templates/login-error/casAuthenticationBlockedView.html
/templates/login-error/casBadHoursView.html
/templates/login-error/casBadWorkstationView.html
/templates/login-error/casExpiredPassView.html
/templates/login-error/casMustChangePassView.html
/templates/login/casConfirmView.html
/templates/login/casGenericSuccessView.html
/templates/login/casLoginMessageView.html
/templates/login/casLoginView.html
/templates/logout/casConfirmLogoutView.html
/templates/logout/casLogoutView.html
/templates/logout/casPropagateLogoutView.html
/templates/mfa-trusted-devices/casMfaRegisterDeviceView.html
/templates/mfa/casCompositeMfaProviderSelectionView.html
/templates/mfa/casMfaDeniedView.html
/templates/mfa/casMfaUnavailableView.html
/templates/password-reset/casPasswordUpdateSuccessView.html
/templates/password-reset/casResetPasswordErrorView.html
/templates/password-reset/casResetPasswordSendInstructionsView.html
/templates/password-reset/casResetPasswordSentInstructionsView.html
/templates/password-reset/casResetPasswordVerifyQuestionsView.html
/templates/password-reset/casWeakPasswordDetectedView.html
/templates/passwordless/casPasswordlessDisplayView.html
/templates/passwordless/casPasswordlessGetUserIdView.html
/templates/protocol/casPostResponseView.html
/templates/protocol/oauth/confirm.html
/templates/protocol/oauth/deviceCodeApproval.html
/templates/protocol/oauth/deviceCodeApproved.html
/templates/protocol/oauth/sessionStaleMismatchError.html
/templates/protocol/oidc/confirm.html
/templates/radius/casRadiusLoginView.html
/templates/saml2-discovery/casSamlIdPDiscoveryView.html
/templates/saml2-idp/casSamlIdPErrorView.html
/templates/simple-mfa/casSimpleMfaLoginView.html
/templates/simple-mfa/casSimpleMfaSelectEmailsView.html
/templates/storage/casSessionStorageReadView.html
/templates/storage/casSessionStorageWriteView.html
/templates/surrogate/casSurrogateAuthnListView.html
/templates/surrogate/casSurrogateAuthnWildcardView.html
/templates/webauthn/casWebAuthnLoginView.html
/templates/webauthn/casWebAuthnRegistrationView.html
/templates/wsfed/casWsFedStopWebflow.html
/templates/yubikey/casYubiKeyLoginView.html
/templates/yubikey/casYubiKeyRegistrationView.html

BUILD SUCCESSFUL in 3s
10 actionable tasks: 1 executed, 9 up-to-date

le fichier casLoginView.html est le point d'entré, on l'extrait avec la tache getResource

[root@cas7 cas-overlay-template]# ./gradlew getResource -PresourceName=casLoginView.html --no-daemon
To honour the JVM settings for this build a single-use Daemon process will be forked. For more on this, please refer to https://docs.gradle.org/8.8/userguide/gradle_daemon.html#sec:disabling_the_daemon in the Gradle documentation.
Daemon will be stopped at the end of the build 
Configuration on demand is an incubating feature.

> Task :unzipWAR
Unzipped WAR into /opt/cas-src/cas-overlay-template/build/app

> Task :getResource
Copied file /opt/cas-src/cas-overlay-template/build/cas-resources/templates/login/casLoginView.html to /opt/cas-src/cas-overlay-template/src/main/resources/templates/login/casLoginView.html

BUILD SUCCESSFUL in 13s
10 actionable tasks: 5 executed, 5 up-to-date

[root@cas7 cas-overlay-template]# ls -l /opt/cas-src/cas-overlay-template/src/main/resources/templates/login/
-rw-r--r-- 1 root root 1955 Jun  6 19:34 casLoginView.html


on va egalement prendre header.html (extrait vers src/main/resources/templates/fragments/header.html) pour y changer le logo 

<code>
[root@cas7 cas-overlay-template]# ./gradlew getResource -PresourceName=header.html --no-daemon
To honour the JVM settings for this build a single-use Daemon process will be forked. For more on this, please refer to https://docs.gradle.org/8.8/userguide/gradle_daemon.html#sec:disabling_the_daemon in the Gradle documentation.
Daemon will be stopped at the end of the build 
Configuration on demand is an incubating feature.

> Task :getResource
Copied file /opt/cas-src/cas-overlay-template/build/cas-resources/templates/fragments/header.html to /opt/cas-src/cas-overlay-template/src/main/resources/templates/fragments/header.html

BUILD SUCCESSFUL in 9s
10 actionable tasks: 1 executed, 9 up-to-date
[root@cas7d cas-overlay-template]# grep logo /opt/cas-src/cas-overlay-template/src/main/resources/templates/fragments/header.html
                            <img id="cas-logo" class="cas-logo"
                                 th:src="@{${#strings.defaultString(#themes.code('cas.logo.file'), '/images/cas-logo.png')}}"

on peux aussi extraire le cas.logo.png afin de disposer de l'arborescence locale depo des images et y copier notre fichier image / logo

[root@cas7 cas-overlay-template]# ./gradlew getResource -PresourceName=cas-logo.png --no-daemon
> Task :getResource
Copied file /opt/cas-src/cas-overlay-template/build/cas-resources/static/images/cas-logo.png to /opt/cas-src/cas-overlay-template/src/main/resources/static/images/cas-logo.png

enfin on redeploie le tout (il est possible de faire usage ./gradlew bootRun pour changer les views a chaud)

[root@ssocas6 cas-overlay-template]#./gradlew clean copyCasConfiguration build
[root@ssocas6 cas-overlay-template]#cp /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/
[root@ssocas6 cas-overlay-template]#chown tomcat /opt/tomcat/webapps/cas.war

Pour le text qui apparait dans la page , il s'agit de reference vers le systeme d'internationalisation des messages qu'on retrouve dans messages.properties et messages_fr.properties (_de, _it etc pour les autres langues)

on extrait le fr

[root@ssocas6 cas-overlay-template]# ls /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/
Copied file /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/messages_fr.properties to src/main/resources/messages_fr.properties

il est definit via le password Manamegement link ⇒ fragment pmlink a extraire pour trouver le bon lienvers le messages.propeties a modifier

#./gradlew getResource -PresourceName=pmlinks
> Task :getResource
Copied file /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/templates/fragments/pmlinks.html to src/main/resources/templates/fragments/pmlinks.html

[root@ssocas6d cas-overlay-template]# grep pwd.example.org  src/main/resources/templates/fragments/pmlinks.html
            <span th:utext="#{screen.pm.button.forgotpwd('https://pwd.example.org')}">Forgot your password?</span>

c'est donc le message screen.pm.button.forgotpwd , on positionne la valeurd'URL pour notre etablissements

[root@ssocas6dev cas-overlay-template]# grep screen.pm.button.forgotpwd src/main/resources/messages_fr.properties
screen.pm.button.forgotpwd=<a href="https://credreset.domain.fr/">Mot de passe oublié ?</a>

pour les gouts et les couleurs, cas.css

./gradlew getResource -PresourceName=cas.css
> Task :getResource
Copied file /opt/test-6.3-cas-overlay-template/cas-overlay-template/build/cas-resources/static/css/cas.css to src/main/resources/static/css/cas.css

si besoin d'avoir des info sur la status du service, on peux activer le module visoible sous le endpoint : /actuator

/status est deprecated au profit de /actuator/health

https://apereo.github.io/cas/6.3.x/monitoring/Monitoring-Statistics.html

• https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
• https://apereo.github.io/2019/01/18/cas61-saml2-idp-incommon/

si besoin d'une installation gradle independante du projet CAS (non indispensable du fait de l'integration de gradlew dans l'overlay ) :

https://tecadmin.net/install-gradle-centos-8/

[root@ssocas6 ~]# wget https://downloads.gradle-dn.com/distributions/gradle-6.3-bin.zip
[root@ssocas6 ~]# cd /opt/
[root@ssocas6 opt]# unzip /root/gradle-6.3-bin.zip 
[root@ssocas6 opt]# ln -s gradle-6.3 gradle
[root@ssocas6 opt]# ls -l gradle
lrwxrwxrwx 1 root root 10 22 mai   09:11 gradle -> gradle-6.3

definir dans la variable PATH l'acces au binaire gradle

[root@ssocas6 opt]# vim /etc/profile.d/gradle.sh
[root@ssocas6 opt]# cat /etc/profile.d/gradle.sh
export PATH=/opt/gradle/bin:$PATH

[root@cas6 opt]# source /etc/profile.d/gradle.sh
[root@cas6 opt]# gradle -v 

Welcome to Gradle 6.3!

nous sommes en cas 6.3.2 et souhaitons passer sur la derniere version de la branche 6.3.x (ce jour 6.3.7)

cela corrige le pb log4j , cf https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

La reponse du dev de CAS : https://apereo.github.io/2021/12/11/log4j-vuln/

[root@cas6dev cas-overlay-template]# grep cas.version gradle.properties 
cas.version=6.3.2

[root@cas6dev cas-overlay-template]# git status
Sur la branche 6.3
Votre branche est à jour avec 'origin/6.3'.

Modifications qui ne seront pas validées :
  (utilisez "git add <fichier>..." pour mettre à jour ce qui sera validé)
  (utilisez "git restore <fichier>..." pour annuler les modifications dans le répertoire de travail)
	modifié :         build.gradle
	modifié :         etc/cas/config/cas.properties
	modifié :         etc/cas/config/log4j2.xml
	modifié :         gradle.properties
	modifié :         src/main/webapp/WEB-INF/web.xml

⇒ on a modifié des fichiers de parametrage non commité , il faut d'abord mettre ça a jour

[root@cas6dev cas-overlay-template]# git add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties src/main/webapp/WEB-INF/web.xml

[root@cas6dev cas-overlay-template]# git commit -a -m "add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties src/main/webapp/WEB-INF/web.xml JP " 
Committer: root <root@cas6dev.domain.fr>
5 files changed, 51 insertions(+), 5 deletions(-)

[root@cas6dev cas-overlay-template]# git branch -a 
* 6.3
  remotes/origin/4.1
  remotes/origin/4.2
  remotes/origin/5.0.x
  remotes/origin/5.1
  remotes/origin/5.2
  remotes/origin/5.3
  remotes/origin/6.0
  remotes/origin/6.1
  remotes/origin/6.2
  remotes/origin/6.3
  remotes/origin/HEAD -> origin/master
....

[root@cas6dev cas-overlay-template]# git pull
warning: Tirer sans spécifier comment réconcilier les branches divergentes
est découragé. Vous pouvez éliminer ce message en lançant une des
commandes suivantes avant votre prochain tirage :

  git config pull.rebase false  # fusion (stratégie par défaut)
  git config pull.rebase true   # rebasage
  git config pull.ff only       # avance rapide seulement

Vous pouvez remplacer "git config" par "git config --global" pour que
ce soit l'option par défaut pour tous les dépôts. Vous pouvez aussi
passer --rebase, --no-rebase ou --ff-only sur la ligne de commande pour
remplacer à l'invocation la valeur par défaut configurée.

remote: Enumerating objects: 248, done.
remote: Counting objects: 100% (248/248), done.
remote: Compressing objects: 100% (141/141), done.
remote: Total 248 (delta 86), reused 213 (delta 56), pack-reused 0
Réception d'objets: 100% (248/248), 1.36 Mio | 4.93 Mio/s, fait.
Résolution des deltas: 100% (86/86), complété avec 5 objets locaux.
Depuis https://github.com/apereo/cas-overlay-template
 + 995813b...e33879a 6.3           -> origin/6.3  (mise à jour forcée)
 * [nouvelle branche] 6.4           -> origin/6.4
   2d981ee..d9d2770  graal         -> origin/graal
 * [nouvelle branche] graal-starter -> origin/graal-starter
 + 652546e...1ae808c master        -> origin/master  (mise à jour forcée)
fatal: refus de fusionner des historiques sans relation

on a un soucis fusion des versions

[root@cas6dev cas-overlay-template]# git status
Sur la branche 6.3
Votre branche et 'origin/6.3' ont divergé,
et ont 390 et 2 commits différents chacune respectivement.
  (utilisez "git pull" pour fusionner la branche distante dans la vôtre)

notre branche locale a divergé avec la remote (origin/6.3)

[root@cas6dev cas-overlay-template]# git pull
warning: Tirer sans spécifier comment réconcilier les branches divergentes
est découragé. Vous pouvez éliminer ce message en lançant une des
commandes suivantes avant votre prochain tirage :

  git config pull.rebase false  # fusion (stratégie par défaut)
  git config pull.rebase true   # rebasage
  git config pull.ff only       # avance rapide seulement

Vous pouvez remplacer "git config" par "git config --global" pour que
ce soit l'option par défaut pour tous les dépôts. Vous pouvez aussi
passer --rebase, --no-rebase ou --ff-only sur la ligne de commande pour
remplacer à l'invocation la valeur par défaut configurée.

fatal: refus de fusionner des historiques sans relation

premiere tentative de rebase sur la derniere version

[root@cas6dev cas-overlay-template]# git pull --rebase 
Fusion automatique de gradle.properties
CONFLIT (contenu) : Conflit de fusion dans gradle.properties
Fusion automatique de etc/cas/config/log4j2.xml
CONFLIT (contenu) : Conflit de fusion dans etc/cas/config/log4j2.xml
Fusion automatique de etc/cas/config/cas.properties
CONFLIT (contenu) : Conflit de fusion dans etc/cas/config/cas.properties
Fusion automatique de build.gradle
CONFLIT (contenu) : Conflit de fusion dans build.gradle
error: impossible d'appliquer 36afdb9... add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties src/main/webapp/WEB-INF/web.xml JP
Resolve all conflicts manually, mark them as resolved with
"git add/rm <conflicted_files>", then run "git rebase --continue".
You can instead skip this commit: run "git rebase --skip".
To abort and get back to the state before "git rebase", run "git rebase --abort".
impossible d'appliquer 36afdb9... add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties src/main/webapp/WEB-INF/web.xml JP

on doit corriger manuellement les fichiers en conflit (ceux qu'on a modifier pour notre parametrage local) , ici build.gradle dans un premier temps

           }
            projectsToAdd.each {implementation it}
        }
    }
<<<<<<< HEAD






    developmentOnly "org.springframework.boot:spring-boot-devtools"
=======
    // CAS dependencies/modules may be listed here statically...
    implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}"
    // ADD support-ldap json DISI 
    implementation "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
    implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
    // ADD Monitoring & Status https://fawnoos.com/2020/11/09/cas63-gettingstarted-overlay/#user-interface-customizations
    //implementation "org.apereo.cas:cas-server-core-monitor:${casServerVersion}"

>>>>>>> 36afdb9... add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties src/main/webapp/WEB-INF/web.xml JP
}

on retire les commentaires du conflit (««HEAD ==== »»> ) et au passage remplace la variable ${casServerVersion} par project.'cas.version' , car casServerVersion n'est plus definit (def1)

corriger aussi les autres fichiers en conflit

root@cas6dev cas-overlay-template]# git status
rebasage interactif en cours ; sur e33879a
Dernière commande effectuée (1 commande effectuée) :
   pick 36afdb9 add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties src/main/webapp/WEB-INF/web.xml JP
Aucune commande restante.
Vous êtes en train de rebaser la branche '6.3' sur 'e33879a'.
  (réglez les conflits puis lancez "git rebase --continue")
  (utilisez "git rebase --skip" pour sauter ce patch)
  (utilisez "git rebase --abort" pour extraire la branche d'origine)

Modifications qui seront validées :
  (utilisez "git restore --staged <fichier>..." pour désindexer)
	modifié :         src/main/webapp/WEB-INF/web.xml

Chemins non fusionnés :
  (utilisez "git restore --staged <fichier>..." pour désindexer)
  (utilisez "git add <fichier>..." pour marquer comme résolu)
	modifié des deux côtés :  build.gradle
	modifié des deux côtés :  etc/cas/config/cas.properties
	modifié des deux côtés :  etc/cas/config/log4j2.xml
	modifié des deux côtés :  gradle.properties

on corrige les conflits de tous les fichiers énoncés ci-dessus

[root@cas6dev cas-overlay-template]# vim etc/cas/config/cas.properties
[root@cas6dev cas-overlay-template]# vim etc/cas/config/log4j2.xml
[root@cas6dev cas-overlay-template]# vim gradle.properties
[root@cas6dev cas-overlay-template]# git add build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties
[root@cas6dev cas-overlay-template]# git commit -a -m "merged build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties JP"
[HEAD détachée 088681c] merged build.gradle etc/cas/config/cas.properties etc/cas/config/log4j2.xml gradle.properties JP
 Committer: root <root@cas6dev.domain.fr>


 5 files changed, 55 insertions(+), 9 deletions(-)

maintenant que tout est mergé/corrigé on continue le git rebase

[root@cas6dev cas-overlay-template]# git rebase --continue
Rebasage et mise à jour de refs/heads/6.3 avec succès.

d'abord on arrete tomcat pour avoir le maximum de RAM dispos pour le JVM du process gradle

[root@cas6dev cas-overlay-template]# systemctl stop tomcat.service 

on peux reconstruire le projet sur cette nouvelle version maintenant

[root@cas6dev cas-overlay-template]# ./gradlew clean build --no-daemon

To honour the JVM settings for this build a single-use Daemon process will be forked. See https://docs.gradle.org/7.3.1/userguide/gradle_daemon.html#sec:disabling_the_daemon.
Daemon will be stopped at the end of the build 

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.3.1/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 1m 31s
12 actionable tasks: 12 executed
[root@cas6dev cas-overlay-template]# pwd
/opt/6.3-update-guiEB-cas-overlay-template/cas-overlay-template
         
[root@cas6dev cas-overlay-template]# cp /opt/6.3-update-guiEB-cas-overlay-template/cas-overlay-template/build/libs/cas.war /opt/tomcat/webapps/
cp : voulez-vous écraser '/opt/tomcat/webapps/cas.war' ? y

on redemare tomcat

[root@cas6dev cas-overlay-template]# systemctl start tomcat.service 
[root@cas6dev cas-overlay-template]# tail -f /opt/tomcat/logs/catalina.out 

     _    ____  _____ ____  _____ ___     ____    _    ____  
    / \  |  _ \| ____|  _ \| ____/ _ \   / ___|  / \  / ___| 
   / _ \ | |_) |  _| | |_) |  _|| | | | | |     / _ \ \___ \ 
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_____|_| \_\_____\___/   \____/_/   \_\____/ 
                                                             

CAS Version: 6.3.7
CAS Branch: 6.3.x
CAS Commit Id: 7fd72bfc3b295ffea9c9a518a082ff701aa97afa
CAS Build Date/Time: 2021-12-11T22:13:16Z
Spring Boot Version: 2.3.7.RELEASE
Spring Version: 5.2.12.RELEASE
Java Home: /usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64
Java Vendor: Red Hat, Inc.
Java Version: 11.0.12
JVM Free Memory: 348 MB
JVM Maximum Memory: 910 MB
JVM Total Memory: 623 MB

On est up2date pour CAS ! .

depuis le passage en rhel/centos/vz..; 8 il n'y a plus de tomcat packagé au profit de Jboss . Ici nous avons donc une version tar.gz de tomcat , qu'il faut donc updater manuellement

[root@cas6dev opt]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.56/bin/apache-tomcat-9.0.56.tar.gz
[root@cas6dev opt]# tar xvfz apache-tomcat-9.0.56.tar.gz
[root@cas6dev opt]# chown -R tomcat:tomcat apache-tomcat-9.0.56

[root@cas6dev opt]# cd apache-tomcat-9.0.56

il faut retablir la configuration dans les fichiers configurés

1. conf/server.xml # activer le connector AJP en 8009 pour notre frontal apache-httpd
2. conf/tomcat-users.xml # configuerer des role/users si manager utilisé
3. webapps/manager/META-INF/context.xml # definir le controle d'acces IP au manager

on remet la cas.war dans le webapps du la nouvelle version tomcat pour redeploiement automatique au lancement de tomcat

[root@cas6dev opt]# cp /opt/6.3-updated-cas-overlay-template/cas-overlay-template/build/libs/cas.war /opt/apache-tomcat-9.0.56/webapps/

on arrete tomcat, repositionne le lien /opt/tomcat vers notre nouvelle version et on relance tomcat

[root@cas6dev opt]# systemctl stop tomcat.service 
[root@cas6dev opt]# rm tomcat
rm : supprimer 'tomcat' du type lien symbolique ? y
[root@cas6dev opt]# ln -s apache-tomcat-9.0.56 tomcat 
[root@cas6dev opt]# systemctl start tomcat 
[root@cas6dev opt]# tail -f tomcat/logs/catalina.out 
...
    / \  |  _ \| ____|  _ \| ____/ _ \   / ___|  / \  / ___| 
   / _ \ | |_) |  _| | |_) |  _|| | | | | |     / _ \ \___ \ 
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_____|_| \_\_____\___/   \____/_/   \_\____/ 
                                                             

CAS Version: 6.3.7
CAS Branch: 6.3.x
..
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.56
------------------------------------------------------------