CAS switch the themes based on different services - cas

Trying to configure a custom theme based on the service has been quite an undertaking in CAS 6.2.0. We use the car-overlay-template (https://github.com/apereo/cas-overlay-template) to configure and build the project.
The documentation is pretty clear about where to put the themes and what properties to use in the cas.properties file: https://apereo.github.io/cas/development/ux/User-Interface-Customization-Views.html
The property value to specify the templates location is set to:
#spring.thymeleaf.encoding=UTF-8
#spring.thymeleaf.prefix=file:///etc/cas/templates/
cas.view.templatePrefixes=file:///etc/cas/templates/
and I have the appropriate directory in the templates directory above specified in the service configuration but I continue to get the error:
2020-04-19 06:35:06,268 WARN [org.apereo.cas.services.web.RegisteredServiceThemeResolver] - <Custom theme [foobar] for service [AbstractRegisteredService(serviceId=^(https|imaps)://.*, name=HTTPS and IMAPS, theme=epc, informationUrl=null, privacyUrl=null, responseType=null, id=10000001, description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols., expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy#1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=10000, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider#87297e2, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], criteria=null), properties={}, contacts=[])] cannot be located. Falling back to default theme...>
Nowhere in the documentation does it mention directory structure for the theme/filenames or format. I understand the project is using Thymeleaf but we still need filenames and I guess a better understanding of how to set the theme path so the CAS can find the theme.
If you had any luck configuring this it would be great if you shared the part of your configuration we are missing.

After a LOT of testing and playing around with the configuration I finally got it to work as I expected it to work. I have put a small project together just in case someone else had this issue and needs a quick tutorial. You can see the project at: https://github.com/dannymk/cas-dynamic-style

Related

Wazuh active response with VirusTotal is not working

Wanted to integrate with VirusTotal and Yara but it seems like active response doesn't work as expected by following the steps in the link below:
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/removing-malware.html
After adding/downloading eicar.com in /root directory, and read ossec.log, I get the following output:
About VirusTotal
I just followed the documentation and it worked well for me in Wazuh Manager 4.3.4 and a Wazuh Agent of the same version.
I got those same messages in /var/ossec/logs/ossec.log of the Wazuh Agent, those appear when the files do not exist or the proper permissions are not assigned, those files were replaced already in 4.2 but still show up in the log, since you are trying to use the script from the documentation then do not worry about those messages.
If you check under /var/ossec/logs/active-responses.log do you get any error?
What version of Wazuh Manager and Wazuh Agent are you using?
About Yara
It shouldn't be related to VirusTotal and probably deserves a different post, there is an issue open here but seems it is working, probably this comment helps you troubleshooting that one
The Active Response module is managed from the Wazuh Manager in /var/ossec/etc/ossec.conf, from here you can enable the response you need to execute using an <active response> configuration block that will use a "command" as a response. For example, if you are going to enable "remove-threat" as an Active Response on any agent that triggers the VirusTotal rule, you should have a <command> block and also an <active-response> block for that particular case, the same goes for any other AR case you may want to use.
<command>
<name>remove-threat</name>
<executable>remove-threat.sh</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
The Response (script) needs to be present on each agent under /var/ossec/active-response/bin/. If you are only using the "remove-threat" Active Response, you should only have a single <active-response> block on the Manager's configuration file. Each <active-response> block within the Manager's "ossec.conf" must have a matching <command> block that is basically the response (script) the module is going to use. Perhaps you can share with us this configuration file so we can take a look.
Also, the following output from the Manager will be useful to see if the integration with Virustotal is being activated:
cat /var/ossec/logs/ossec.log | grep wazuh-integratord
I hope this helps,
Let us know

CAS 6.2.x MFA Principal Attribute Trigger 'memberOf' Active Directory Not Working

I have CAS 6.2.x running in Kubernetes building the image from this repo. I am passing in the cas.properties file via configmap.I have it wired up against Active Directory and am able to login with the Username/Password. I am now working to enable MFA with the Google Authenticator plugin. I have this working as well if I force the flow globally with the following:
cas.authn.mfa.global-provider-id=mfa-gauth
When I try to use the values described here for Multifactor Authentication: Principal Attribute Trigger it doesn't send me to the MFA flow. These are the settings that I have set:
cas.authn.ldap[0].principalAttributeList=userPrincipalName,cn,givenName,sAMAccountName,memberOf
cas.authn.mfa.global-principal-attribute-name-triggers=memberOf
cas.authn.mfa.global-principal-attribute-value-regex=ForceMfa
When I log in these are the values returned back for memberOf:
memberOf
[CN=Group2,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=Group1,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=ForceMfa,OU=MyOu,DC=subdomain,DC=domain,DC=local]
Principal
I used Misagh blog post as a guide.
If I change the trigger and regex to sAMAccountName and my username it then works as expected. Not sure if I need to change the regex format to find the group name or if I just have something else wrong. It just seems like the regex is not finding a match for some reason as the settings seem to be working for me, just not with memberOf.
Thank you
Consider switching this to:
cas.authn.mfa.global-principal-attribute-value-regex=.*ForceMfa.+
Then, attach/review your logs for org.apereo.cas under either DEBUG/TRACE so you can see what's happening.

SonarQube 5.3 - Download plugins behind proxy (HTTPS)

There are a couple of questions about this already, but none of the provided solutions work with SonarQube v5.3.
So far I've tried setting sonar.web.javaAdditionalOpts=-Dhttps.proxyHost=proxy.XXX -Dhttps.proxyPort=YYY, both http(s).proxyHost=proxy.XXX and http(s).proxyPort=YYY.
It's important to notice that when SonarQube is starting (I'm running the docker app) it tries to connect to http://update.sonarsource.org/update-center.properties, in which case I'm able to check that http proxy works:
sonar_1 | 2016.02.29 20:46:18 INFO web[o.s.s.p.UpdateCenterClient] Update center: http://update.sonarsource.org/update-center.properties (HTTP proxy: proxy.XXX:YYY)
But, when trying to download any plugin from Update Center, it fails:
sonar_1 | org.sonar.api.utils.SonarException: Fail to download the plugin (ldap, version 1.5.1) from https://sonarsource.bintray.com/Distribution/sonar-ldap-plugin/sonar-ldap-plugin-1.5.1.jar (error is : Fail to download: https://sonarsource.bintray.com/Distribution/sonar-ldap-plugin/sonar-ldap-plugin-1.5.1.jar (no proxy))
Any help is much appreciated.
EDIT: Adding relevant debug logs according to the configuration been used.
Using only sonar.web.javaAdditionalOpts=-Dhttps.proxyHost=http://proxy.XXX -Dhttps.proxyPort=YYY -Dhttp.proxyHost=proxy.XXX -Dhttp.proxyPort=YYY: gist
Using http.proxyHost, http.proxyPort, https.proxyHost and https.proxyPort: gist
The HTTPS proxy properties (https.proxyHost and https.proxyPort) must be set in sonar.web.javaAdditionalOpts because they are not understood/suppoerted in sonar.properties.
The HTTP proxy properties (http.proxyHost and http.proxyPort) can be set either in sonar.web.javaAdditionalOpts or in sonar.properties directly.
Careful though: if you set the HTTP ones in sonar.web.javaAdditionalOpts, make sure to comment out the http.proxyHost and http.proxyPort lines in sonar.properties. Otherwise the latter would override the former (and I feel like this is what might be happening in your gist1 ).
Edit: you're running SonarQube in a docker container, in which case sonar.web.javaAdditionalOpts are currently set in the run.sh script. For additional Java properties you'll have to modify this directly.

Loading an external widget in widgets-config.xml

I am unable to load an iWidget externally on the communities page
This is my widget def:
<widgetDef defId="qmiWidget" primaryWidget="false" modes="view fullpage edit search"
url="http://questionmine.com/app1/widgets/index/publishProject_iWidget"/>
But it replaces the http and tries to load it internally
"NetworkError: 403 Forbidden - https://connectionsww.demos.ibm.com/communities/ajaxProxy/http/questionmine.com/app1/widgets/index/publishProject_iWidget"
Any idea how can I do this ?
Since your widget resides on another domain, you have to configure the "Ajax Proxy" to allow this.
Take a look at this here:
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Configuring_the_AJAX_proxy_ic45&content=pdcontent
For testing purposes (ONLY testing) it would be safe to allow "*" but for a production environment it is strongly advised to be more specific, in your case something like "questionmine.com/app1/*"
You can even configure specific proxy rules per application (Communities, Profiles, Homepage,...)
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Configuring_the_AJAX_proxy_for_a_specific_application_ic45&content=pdcontent
BTW: If you ever tried to enable feeds in a community, the same applies. Without further configuration, only same-domain feeds would be allowed.

How to get custom-resource file after packaging Metro App?

I have a Metro application in which am using different service URLs for receiving the data.For this scenario I want to change service URLs after building my application into a package.I have followed adding resource files into my app as mentioned in MSDN sites and tested by using following code.
var resourceLoader = new Windows.ApplicationModel.Resources.ResourceLoader();
var resourceString = resourceLoader.getString("greeting");
Here am getting greeting resource value string in my app before packaging.After packaging am not able to see my resource files but am able to see default resource files like en-US,fr-FR etc but.
Can anyone suggest some solution to get custom-resource file after packaging?
The way I see it you need to add the resource files before packaging the app... after that's done, you can not additional resources... what you could do is getting the new service url from a service and save it locally as a setting or in your DB
edit: also, resourceLoader.getString("greeting").value; will give you the actual string, or "greeting" in case no resources were found