From 9bcb38a73b10740631d390303eae05da17ecae5a Mon Sep 17 00:00:00 2001 From: travis-ci Date: Wed, 12 Feb 2020 12:35:17 +0000 Subject: [PATCH] Published docs from master to [gh-pages]. Build 17108 - Updated: code cleanup and styling; fixes test cases --- .../Configuration-Properties-Common.md | 58 +++++++++++-------- .../configuration/Configuration-Properties.md | 37 ++++++++++++ .../Configuration-Server-Management.md | 18 ++++++ .../Passwordless-Authentication.md | 13 ++++- development/protocol/OpenID-Protocol.md | 5 ++ 5 files changed, 106 insertions(+), 25 deletions(-) diff --git a/development/configuration/Configuration-Properties-Common.md b/development/configuration/Configuration-Properties-Common.md index 7cc5f7e13112..248a279d38d8 100644 --- a/development/configuration/Configuration-Properties-Common.md +++ b/development/configuration/Configuration-Properties-Common.md @@ -186,6 +186,15 @@ def byte[] run(final Object... args) { logger.debug("Encoding password...") return ... } + +def Boolean matches(final Object... args) { + def rawPassword = args[0] + def encodedPassword = args[1] + def logger = args[2] + def casApplicationContext = args[3] + + logger.debug("Does match or not ?"); + return ... ``` ## Authentication Principal Transformation @@ -512,13 +521,13 @@ More advanced Hazelcast configuration settings are listed below, given the compo # ${configurationKey}.cluster.tcpipEnabled=true # ${configurationKey}.cluster.partitionMemberGroupType=HOST_AWARE|CUSTOM|PER_MEMBER|ZONE_AWARE|SPI -# ${configurationKey}.cluster.mapMergePolicy=com.hazelcast.map.merge.PutIfAbsentMapMergePolicy +# ${configurationKey}.cluster.mapMergePolicy=PUT_IF_ABSENT|HIGHER_HITS|DISCARD|PASS_THROUGH|EXPIRATION_TIME|LATEST_UPDATE|LATEST_ACCESS # ${configurationKey}.cluster.evictionPolicy=LRU # ${configurationKey}.cluster.maxNoHeartbeatSeconds=300 # ${configurationKey}.cluster.loggingType=slf4j # ${configurationKey}.cluster.portAutoIncrement=true -# ${configurationKey}.cluster.maxHeapSizePercentage=85 +# ${configurationKey}.cluster.maxSize=85 # ${configurationKey}.cluster.backupCount=1 # ${configurationKey}.cluster.asyncBackupCount=0 # ${configurationKey}.cluster.maxSizePolicy=USED_HEAP_PERCENTAGE @@ -530,32 +539,27 @@ More advanced Hazelcast configuration settings are listed below, given the compo # ${configurationKey}.cluster.outboundPorts[0]=45000 ``` -### Management Center - -```properties -# ${configurationKey}.managementCenter.url= -# ${configurationKey}.managementCenter.enabled=false -# ${configurationKey}.managementCenter.updateInterval=5 -``` - ### Static WAN Replication ```properties # ${configurationKey}.cluster.wanReplication.enabled=false # ${configurationKey}.cluster.wanReplication.replicationName=CAS -# ${configurationKey}.cluster.wanReplication[0].groupName= -# ${configurationKey}.cluster.wanReplication[0].groupPassword= -# ${configurationKey}.cluster.wanReplication[0].endpoints=1.2.3.4,4.5.6.7 -# ${configurationKey}.cluster.wanReplication[0].publisherClassName=com.hazelcast.enterprise.wan.replication.WanBatchReplication -# ${configurationKey}.cluster.wanReplication[0].queueFullBehavior=THROW_EXCEPTION -# ${configurationKey}.cluster.wanReplication[0].acknowledgeType=ACK_ON_OPERATION_COMPLETE -# ${configurationKey}.cluster.wanReplication[0].queueCapacity=10000 -# ${configurationKey}.cluster.wanReplication[0].batchSize=500 -# ${configurationKey}.cluster.wanReplication[0].snapshotEnabled=false -# ${configurationKey}.cluster.wanReplication[0].batchMaximumDelayMilliseconds=1000 -# ${configurationKey}.cluster.wanReplication[0].responseTimeoutMilliseconds=60000 -# ${configurationKey}.cluster.wanReplication[0].executorThreadCount=2 +# ${configurationKey}.cluster.wanReplication.targets[0].endpoints=1.2.3.4,4.5.6.7 +# ${configurationKey}.cluster.wanReplication.targets[0].publisherClassName=com.hazelcast.enterprise.wan.replication.WanBatchReplication +# ${configurationKey}.cluster.wanReplication.targets[0].queueFullBehavior=THROW_EXCEPTION +# ${configurationKey}.cluster.wanReplication.targets[0].acknowledgeType=ACK_ON_OPERATION_COMPLETE +# ${configurationKey}.cluster.wanReplication.targets[0].queueCapacity=10000 +# ${configurationKey}.cluster.wanReplication.targets[0].batchSize=500 +# ${configurationKey}.cluster.wanReplication.targets[0].snapshotEnabled=false +# ${configurationKey}.cluster.wanReplication.targets[0].batchMaximumDelayMilliseconds=1000 +# ${configurationKey}.cluster.wanReplication.targets[0].responseTimeoutMilliseconds=60000 +# ${configurationKey}.cluster.wanReplication.targets[0].executorThreadCount=2 + +# ${configurationKey}.cluster.wanReplication.targets[0].consistencyCheckStrategy=NONE|MERKLE_TREES +# ${configurationKey}.cluster.wanReplication.targets[0].clusterName= +# ${configurationKey}.cluster.wanReplication.targets[0].publisherId= +# ${configurationKey}.cluster.wanReplication.targets[0].properties= ``` ### Multicast Discovery @@ -1092,7 +1096,15 @@ The following options are shared and apply when CAS is configured to send SMS no You will also need to ensure a provider is defined that is able to send SMS messages. To learn more about this topic, [please review this guide](../notifications/SMS-Messaging-Configuration.html). - + +## Webflow Auto Configuration + +Control aspects of webflow that relate to auto-configuration of webflow states, transitions and execution order. + +```properties +# ${configurationKey}.order= +``` + ## Delegated Authentication Settings The following options are shared and apply when CAS is configured to delegate authentication diff --git a/development/configuration/Configuration-Properties.md b/development/configuration/Configuration-Properties.md index 8f7573a51b1c..8178af0f32d6 100644 --- a/development/configuration/Configuration-Properties.md +++ b/development/configuration/Configuration-Properties.md @@ -281,6 +281,18 @@ are available [here](Configuration-Properties-Common.html#database-settings) und # cas.spring.cloud.jdbc.sql=SELECT id, name, value FROM CAS_SETTINGS_TABLE ``` +### REST + +Allow the CAS Spring Cloud configuration server to load settings from a REST API. + +```properties +# cas.spring.cloud.rest.url= +# cas.spring.cloud.rest.basicAuthUsername= +# cas.spring.cloud.rest.basicAuthPassword= +# cas.spring.cloud.rest.method= +# cas.spring.cloud.rest.headers=Header1:Value1;Header2:Value2 +``` + ## Configuration Security To learn more about how sensitive CAS settings can be @@ -2159,6 +2171,11 @@ Principal resolution and Person Directory settings for this feature are availabl # cas.authn.spnego.ntlm=false ``` +### Webflow configuration + +Webflow auto-configuration settings for this feature are available [here](Configuration-Properties-Common.html#webflow-auto-configuration) under +the configuration key `cas.authn.spnego.webflow`. + ### System Settings ```properties @@ -2268,6 +2285,11 @@ To learn more about this topic, [please review this guide](../installation/JWT-A # cas.authn.token.name= ``` +### Webflow configuration + +Webflow auto-configuration settings for this feature are available [here](Configuration-Properties-Common.html#webflow-auto-configuration) under +the configuration key `cas.authn.token.webflow`. + ### JWT Tickets Allow CAS tickets through various protocol channels to be created as JWTs. See [this guide](../installation/Configure-ServiceTicket-JWT.html) @@ -2421,6 +2443,11 @@ Password encoding settings for this feature are available [here](Configuration-P To learn more about this topic, [please review this guide](../installation/X509-Authentication.html). +### Webflow configuration + +Webflow auto-configuration settings for this feature are available [here](Configuration-Properties-Common.html#webflow-auto-configuration) under +the configuration key `cas.authn.x509.webflow`. + ### Principal Resolution X.509 principal resolution can act on the following principal types: @@ -5178,6 +5205,11 @@ To learn more about this topic, [please review this guide](../integration/Attrib Signing & encryption settings for this feature are available [here](Configuration-Properties-Common.html#signing--encryption) under the configuration key `cas.consent`. The signing and encryption keys [are both JWKs](Configuration-Properties-Common.html#signing--encryption) of size `512` and `256`. +### Webflow configuration + +Webflow auto-configuration settings for this feature are available [here](Configuration-Properties-Common.html#webflow-auto-configuration) under +the configuration key `cas.consent.webflow`. + ### JSON Attribute Consent ```properties @@ -5276,6 +5308,11 @@ available [here](Configuration-Properties-Common.html#sms-notifications) under t The signing and encryption keys [are both JWKs](Configuration-Properties-Common.html#signing--encryption) of size `512` and `256`. The encryption algorithm is set to `AES_128_CBC_HMAC_SHA_256`. Signing & encryption settings for this feature are available [here](Configuration-Properties-Common.html#signing--encryption) under the configuration key `cas.authn.pm.reset`. +### Webflow configuration + +Webflow auto-configuration settings for this feature are available [here](Configuration-Properties-Common.html#webflow-auto-configuration) under +the configuration key `cas.authn.pm.webflow`. + ### Password History To learn more about this topic, [please review this guide](../installation/Password-Policy-Enforcement.html). diff --git a/development/configuration/Configuration-Server-Management.md b/development/configuration/Configuration-Server-Management.md index d327e2d03ccb..8da23fad0939 100644 --- a/development/configuration/Configuration-Server-Management.md +++ b/development/configuration/Configuration-Server-Management.md @@ -401,6 +401,24 @@ Support is provided via the following dependency in the WAR overlay: By default, settings are expected to be found under a `CAS_SETTINGS_TABLE` that contains the fields: `id`, `name` and `value`. To see the relevant list of CAS properties for this feature, please [review this guide](Configuration-Properties.html#jdbc). +##### REST + +CAS is also able to locate properties and settings using a REST API. + +Support is provided via the following dependency in the WAR overlay: + +```xml + + org.apereo.cas + cas-server-support-configuration-cloud-rest + ${cas.version} + +``` + +The REST endpoint is expected to produce a `Map` in the payload with keys as the setting names +and values as the setting value. To see the relevant list of CAS properties for this +feature, please [review this guide](Configuration-Properties.html#rest). + #### CAS Server Cloud Configuration The cloud configuration modules provided above on this page by the CAS project directly may also be used verbatim inside diff --git a/development/installation/Passwordless-Authentication.md b/development/installation/Passwordless-Authentication.md index 342c4587d6d2..32389b710ec4 100644 --- a/development/installation/Passwordless-Authentication.md +++ b/development/installation/Passwordless-Authentication.md @@ -84,7 +84,8 @@ def run(Object[] args) { account.setName("TestUser") account.setPhone("123-456-7890") account.setAttributes(Map.of("...", List.of("...", "...")) - account.setMultifactorAuthenticationEligible(false) + account.setMultifactorAuthenticationEligible(false) + account.setRequestPassword(false) return account } ``` @@ -102,7 +103,8 @@ would produce a response body similar to the following: "phone" : "123-456-7890", "name" : "CASUser", "multifactorAuthenticationEligible": false, - "delegatedAuthenticationEligible": false, + "delegatedAuthenticationEligible": false, + "requestPassword": false, "attributes":{ "lastName" : ["...", "..."] } } ``` @@ -180,6 +182,13 @@ Users may be notified of tokens via text messages, mail, etc. To learn more about available options, please [see this guide](../notifications/SMS-Messaging-Configuration.html) or [this guide](../notifications/Sending-Email-Configuration.html). +## Disabling Passwordless Authentication Flow + +Passwordless authentication can be disabled conditionally on a per-user basis. If the passwordless account retrieved from the account store +carries a user whose `requestPassword` is set to `true`, the passwordless flow (i.e. as described above with token generation, etc) will +be disabled and skipped in favor of the more usual CAS authentication flow, challenging the user for a password. Support for this behavior may depend +on each individual account store implementation. + ## Multifactor Authentication Integration Passwordless authentication can be integrated with [CAS multifactor authentication providers](../mfa/Configuring-Multifactor-Authentication.html). In this scenario, diff --git a/development/protocol/OpenID-Protocol.md b/development/protocol/OpenID-Protocol.md index 31b2576eae78..82dd955214c7 100644 --- a/development/protocol/OpenID-Protocol.md +++ b/development/protocol/OpenID-Protocol.md @@ -9,6 +9,11 @@ category: Protocols OpenID is an open, decentralized, free framework for user-centric digital identity. Users represent themselves using URIs. For more information see the [http://www.openid.net](http://www.openid.net). +
Usage +

This feature is deprecated and is scheduled to be removed in the future. If you can, consider using +a more mainstream and recent authentication protocol.

+
+ CAS supports both the "dumb" and "smart" modes of the OpenID protocol. Dumb mode acts in a similar fashion to the existing CAS protocol. The smart mode differs in that it establishes an association between the client and the openId provider (OP) at the beginning. Thanks to that association and the key exchange done during association,