Hi Ben,
I just saw the question at the end of your message. The web.xml file has changed for 2.4 and is now a static file. I'm not sure if the installer deletes the web.*.xml
source files during an upgrade, but I expect they would be ignored during a 2.4 build.
Are you still using the web app filter? If you didn't create a subdirectory to trigger the CAS session setup, what do you have for the url pattern in the filter.
If it's just /*, isn't that triggering ticket validation on every page? Or maybe it's skipping it if it sees the session existing? I'm not well-versed in CAS processes. If I can get rid of those extra steps, it would simplify our wiki instructions.
Thanks for the feedback!
Chad
From: Ben Beecher [mailto:]
Sent: Thursday, April 25, 2019 5:00 PM
To: Redman, Chad <>
Cc: Baron Fujimoto <>; Grouper Users <>; Hyzer, Chris <>; Andrew Johnston <>; Ben Beecher <>
Subject: Re: [grouper-users] upgrading to 2.4
CAS is working with our Grouper 2.4 instance. Thanks for your help with this. Logout is working.
I did not need the extra cas directory cas/index.jsp so I didn't need steps 2a, 2b, and 3.
I removed the security constraints from web.xml since those were preventing access. I think those came from web.core.xml.
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperUi/app/*</url-pattern>
</web-resource-collection>
<role-name>grouper_user</role-name>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperUi/appHtml/*</url-pattern>
</web-resource-collection>
<role-name>grouper_user</role-name>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperExternal/app/*</url-pattern>
</web-resource-collection>
<role-name>grouper_user</role-name>
I will need to merge those changes into /var/grouper/installGrouper2.3/grouper.ui-2.3.0/webapp/WEB-INF/web.core.xml
and then rebuild ("ant war") and copy the new web app to the Tomcat directory. Is that right?
On Tue, Apr 16, 2019 at 11:50 AM Redman, Chad <> wrote:
I'm hoping we can move away from the custom classes and ant config -- the Java classes are from 2009 and specific to the older UI that isn't in use. Ideally it would be a change in web config, and adding an additional library.
I was able to get something working locally. It's using a 4.0 cas server and 3.5 client library, so YMMV. Here is what I did.
1) Downloaded cas-client-core (latest 3.5.1) and put into WEB-INF/lib; source either from from Maven (https://search.maven.org/search?q=g:org.jasig.cas.client%20AND%20a:cas-client-core&core=gav)
or from mvnrepository site which has ads (https://mvnrepository.com/artifact/org.jasig.cas.client/cas-client-core)
2a) Copied webapp index.jsp to cas/index.jsp
2b)* Edited paths in cas/index.jsp, to reference parent directory instead of the current one
<%@ include file="../WEB-INF/grouperUi2/assetsJsp/commonTaglib.jsp"%>
String location="../grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain";
3)* Added to WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.unprotected.CASLogin=%servletContext%/cas/*
4) Added to WEB-INF/web.xml, changing parameters as needed. Based on
https://apereo.atlassian.net/wiki/spaces/CASC/pages/103252594/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/cas/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/cas/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/cas/*</url-pattern>
</filter-mapping>
5) Start Tomcat, check catalina and localhost logs if any startup errors
6) Go to http://localhost:8080/grouper/cas/index.jsp
~~~~~
*I initially tried to set up a copy of index.jsp as cas.jsp in the top level of the webapp, so that the paths did not need to be adjusted in the file. It sometimes worked, but other times it gave an error page. The times it failed were when there was no existing
webapp session, so it appended ";jsessionid=.." after the URL. Somehow that broke the CSRFGuard exception, even if I put in wildcards that should have matched. If someone understands the subtlety there, I'd be interested in knowing.
The logout seems to be doing the right thing, and clearing out the session including the authentication. I haven't tested inactivity timeouts so that is still unverified.
My institution isn't using CAS, so this was just a proof of concept. If this works for you with some other adjustments, let us know and we can update our documentation.
-Chad
-----Original Message-----
From: [mailto:] On Behalf Of Baron Fujimoto
Sent: Tuesday, April 16, 2019 12:04 AM
To: Grouper Users <>
Subject: Re: [grouper-users] upgrading to 2.4
We're about to embark on upgrading to 2.4 from 2.2, and we rely on CAS AuthN. Hopefully this can be sorted out!
On Tue, Apr 16, 2019 at 03:24:35AM +0000, Redman, Chad wrote:
>The immediate problem may be the build using source code from 2.3 but libraries from 2.4. The servlet api library was upgraded from 2.3 to 3.1 (so compatible with Tomcat 8), and it includes a few new abstract methods. In the grouper 2.4 code, those methods
have been implemented, so you wouldn't have seen those errors.
>
>But the bigger issue is probably going to be that the CAS contrib code is likely out of date. The struts code has been removed, so the web.xml settings won't be effective, and some URIs hardcoded in Java files will need to be adjusted.
>
>I'm throwing together a quick cas demo server, and doing some quick tests to see what kind of shape 2.4 is in.
>
>-Chad
>
>
>From: [mailto:] On Behalf Of Ben Beecher
>Sent: Monday, April 15, 2019 4:09 PM
>To: Hyzer, Chris <>
>Cc: Mailing List <>
>Subject: Re: [grouper-users] upgrading to 2.4
>
>Hi Chris,
>I upgraded those modules again with the full patch set and it's working now. Thanks for your help.
>After upgrading to Grouper 2.4 the CAS authentication is no longer working. I can only use Basic Auth to log in to Grouper 2.4. We have been using the Yale CAS Client (yale-cas-auth) following these instructions
>https://spaces.at.internet2.edu/display/Grouper/Implementing+CAS+Authentication+for+Grouper
>
>I double checked the updates to these files
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/build.xml
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/contrib/yale-cas-auth/build.properties
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/webapp/WEB-INF/struts-config.xml
>/var/grouper/installGrouper2.3/grouper.apiBinary-2.3.0/conf/sources.xml
>
>Everything looks ok there, sources.xml was replaced by subject.properties. I am not sure if I need to rebuild the war file as per the instructions. When I try to rebuild I get some errors:
>
>$ ant war
>Buildfile: /var/grouper/installGrouper2.3/grouper.ui-2.3.0/build.xml
>
>
>-compileGrouper:
> [mkdir] Created dir: /var/grouper/installGrouper2.3/grouper.ui-2.3.0/temp/jarBin
> [javac] /var/grouper/installGrouper2.3/grouper.ui-2.3.0/build.xml:452: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds
> [javac] Compiling 324 source files to /var/grouper/installGrouper2.3/grouper.ui-2.3.0/temp/jarBin
> [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
> [javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
> [javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
> [javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
> [javac] /var/grouper/installGrouper2.3/grouper.ui-2.3.0/java/src/edu/internet2/middleware/grouper/j2ee/GenericServletResponseWrapper.java:35: error: GenericServletResponseWrapper is not abstract and does not override abstract method getHeaderNames() in
HttpServletResponse
> [javac] public class GenericServletResponseWrapper extends ServletResponseWrapper implements HttpServletResponse {
> [javac] ^
> [javac] /var/grouper/installGrouper2.3/grouper.ui-2.3.0/java/src/edu/internet2/middleware/grouper/ui/CaptureServletOutputStream.java:47: error: CaptureServletOutputStream is not abstract and does not override abstract method setWriteListener(WriteListener)
in ServletOutputStream
> [javac] public class CaptureServletOutputStream extends ServletOutputStream {
> [javac] ^
> [javac] Note: Some input files use or override a deprecated API.
> [javac] Note: Recompile with -Xlint:deprecation for details.
> [javac] Note: Some input files use unchecked or unsafe operations.
> [javac] Note: Recompile with -Xlint:unchecked for details.
> [javac] 2 errors
> [javac] 4 warnings
>
>
>Any suggestions?
>Ben
>
>On Wed, Apr 3, 2019 at 9:00 AM Hyzer, Chris <<mailto:>> wrote:
>Are you sure you pointed the upgrader to the right spot? I think the WS might live somewhere else? look in apache config and see where it is linking to
>
>From: Ben Beecher <<mailto:>>
>Sent: Tuesday, April 02, 2019 4:05 PM
>To: Hyzer, Chris <<mailto:>>
>Cc: <mailto:> Mailing List <<mailto:>>;
Ben Beecher <<mailto:>>
>Subject: Re: [grouper-users] upgrading to 2.4
>
>Hi Chris,
>I was able to get past that error by copying the old patches to /var/grouper/installGrouper2.3/tarballs/patches/
>I have another question for you.
>I used the Grouper upgrader to upgrade the api and ui modules. While upgrading the ws it reverted all patches and then it got this error:
>
>> Upgrading WS jars
>> Exception in thread "main" java.lang.RuntimeException: Why does jar directory not exist?
>> /var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/lib
>
>I created the last two subdirectories manually (WEB-INF/lib) and then I ran the upgrader again. I got a different error this time:
>
>Upgrading WS jars
>Upgraded 0 jar files from: /var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/lib
> to: /var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/WEB-INF/lib
>
>##################################
>Upgrading WS files
>Upgrading files from: /var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/
> to: /var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/
> ignoring paths: WEB-INF/bin/gsh.sh, WEB-INF/bin/gsh.bat, WEB-INF/lib, WEB-INF/bin/gsh, WEB-INF/web.xml, WEB-INF/classes
>Compared 0 files and found 0 adds and 0 updates
>Backing up: /var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat to: /var/grouper/installGrouper2.3/tarballs/bak_WS_2019_03_26_21_06_36_798/WEB-INF/bin/gsh.bat
>Copying new file: /var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat to: /var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat
>Exception in thread "main" java.lang.RuntimeException: java.io.FileNotFoundException: Source '/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat' does not exist
> at edu.internet2.middleware.grouperInstaller.util.GrouperInstallerUtils.copyFile(GrouperInstallerUtils.java:10550)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.backupAndCopyFile(GrouperInstaller.java:6168)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.upgradeWs(GrouperInstaller.java:13434)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.access$5800(GrouperInstaller.java:84)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller$AppToUpgrade$4.upgradeApp(GrouperInstaller.java:6900)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.mainUpgradeLogic(GrouperInstaller.java:4720)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.access$600(GrouperInstaller.java:84)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller$GrouperInstallerMainFunction$3.logic(GrouperInstaller.java:1516)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.mainLogic(GrouperInstaller.java:1728)
> at edu.internet2.middleware.grouperInstaller.GrouperInstaller.main(GrouperInstaller.java:561)
>Caused by: java.io.FileNotFoundException: Source '/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat' does not exist
> at edu.internet2.middleware.grouperInstaller.util.GrouperInstallerUtils.copyFile(GrouperInstallerUtils.java:10530)
> ... 9 more
>
>
>I see the new version of gsh.bat in the ui directory so perhaps I don't need to update the gsh.bat in the ws directory.
>
>$ ls -l /var/grouper/installGrouper2.3/grouper.ui-2.3.0/dist/grouper/WEB-INF/bin/gsh.bat
>-rwxr-xr-x. 1 idmserv idmserv 4174 Mar 26 20:46 /var/grouper/installGrouper2.3/grouper.ui-2.3.0/dist/grouper/WEB-INF/bin/gsh.bat
>Ben
>
>On Wed, Mar 20, 2019 at 9:39 AM Hyzer, Chris <<mailto:>> wrote:
>Ben, I think you need to download the 2.4 ALL zip, which you did, but you also need the 2.3 ALL zip, can you download that to so the file not found goes away and see if it works?
>
>From: <mailto:> <<mailto:>>
On Behalf Of Hyzer, Chris
>Sent: Tuesday, March 19, 2019 11:35 PM
>To: Ben Beecher <<mailto:>>;
<mailto:> Mailing List <<mailto:>>
>Subject: RE: [grouper-users] upgrading to 2.4
>
>Ugh, maybe copy the dir you are upgrading to an internet machine, upgrade, and copy back… sorry, I entered a jira…
>
>Thanks
>Chris
>
>From: <mailto:> <<mailto:>>
On Behalf Of Ben Beecher
>Sent: Tuesday, March 19, 2019 4:00 PM
>To: <mailto:> Mailing List <<mailto:>>
>Subject: [grouper-users] upgrading to 2.4
>
>(1) I am trying to upgrade from version 2.3 to version 2.4. The Grouper upgrader wants to upgrade in place (not into a new directory) so do I need to rename the directory after the upgrade is complete? The current directory name is
>/var/grouper/installGrouper2.3
>
>and I think the new name should be
>/var/grouper/installGrouper2.4
>
>
>(2) I get an error during the upgrade process. My server is on a secure network so it can't download patch files from the internet. I downloaded the tar file which contains all patches
>http://software.internet2.edu/grouper/release/2.4.0/grouper.all-2.4.0.tar.gz
>
>I uncompressed and extracted the contents to this directory
>/var/grouper/grouper.all-2.4.0
>
>I created a properties file that points to the new directory
>
>$ cat /var/grouper/installGrouper2.3/grouper.installer.properties
>download.server.url = "/var/grouper/grouper.all-2.4.0
>
># default version to install
>grouper.version = 2.4.0
>
>I ran the installer with the "upgrade" option but it gets an error when it tries to access one of the 2.3 patch files. It's looking for a 2.3 patch file in the 2.4 directory that was recently downloaded.
>
>##################################
>Gather upgrade information
>
>Enter in a Grouper temp directory to download tarballs (note: better if no spaces or special chars) [/var/grouper/installGrouper2.3/tarballs]: /tmp/grouper/patches
>You need to revert all patches to upgrade
>
>################ Checking patch grouper_v2_3_0_api_patch_88
>Patch: grouper_v2_3_0_api_patch_88: was applied on: 2018/02/08 16:05:53
>
>Error connecting to URL: /var/grouper/grouper.all-2.4.0/release/2.3.0/patches/grouper_v2_3_0_api_patch_88.tar.gz
>Exception in thread "main" java.lang.RuntimeException: Error connecting to URL: /var/grouper/grouper.all-2.4.0/release/2.3.0/patches/grouper_v2_3_0_api_patch_88.tar.gz,
>
>I have attached the session log to this message.
>
>Ben
>
--
Baron Fujimoto <> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
|