Serialized Form
-
Package org.apereo.cas.configuration
-
Class org.apereo.cas.configuration.CasConfigurationProperties
class CasConfigurationProperties extends Object implements Serializable- serialVersionUID:
- -8620267783496071683L
-
Serialized Fields
-
acceptableUsagePolicy
AcceptableUsagePolicyProperties acceptableUsagePolicy
AUP settings. -
accessStrategy
AccessStrategyProperties accessStrategy
Access Strategy and authorization-related functionality. -
accountRegistration
AccountManagementRegistrationProperties accountRegistration
Account registration settings. -
acme
AcmeProperties acme
ACME functionality. -
amazonSts
AmazonSecurityTokenServiceProperties amazonSts
Integration settings for amazon sts. -
audit
AuditProperties audit
Authentication audit functionality. -
authn
AuthenticationProperties authn
General settings for authentication. -
clearpass
ClearpassProperties clearpass
Clearpass settings. -
consent
ConsentProperties consent
Attribute consent functionality. -
core
CasServerCoreProperties core
Core internal settings. -
custom
CasCustomProperties custom
Custom properties. -
events
EventsProperties events
Authentication events functionality. -
geoLocation
GeoLocationProperties geoLocation
GeoLocation settings. -
googleAnalytics
GoogleAnalyticsProperties googleAnalytics
Google Analytics functionality. -
googleFirebaseMessaging
GoogleFirebaseCloudMessagingProperties googleFirebaseMessaging
Google Firebase Cloud Messaging functionality. -
googleRecaptcha
GoogleRecaptchaProperties googleRecaptcha
Google reCAPTCHA settings. -
host
CasServerHostProperties host
Settings that define this CAS host. -
httpClient
HttpClientProperties httpClient
Http client and outgoing connections settings. -
httpWebRequest
HttpRequestProperties httpWebRequest
Settings that control filtering of the incoming http requests. -
initializationTime
long initializationTime
Timestamp that indicates the initialization time. -
interrupt
InterruptProperties interrupt
Interrupt/notification functionality. -
jdbc
DatabaseProperties jdbc
General database and hibernate settings. -
locale
LocaleProperties locale
Locale and internationalization settings. -
logging
LoggingProperties logging
Logging functionality. -
logout
LogoutProperties logout
Logout functionality. -
messageBundle
MessageBundleProperties messageBundle
Message bundles and internationalization functionality. -
monitor
MonitorProperties monitor
Monitoring functionality. -
personDirectory
PersonDirectoryPrincipalResolverProperties personDirectory
Person directory and principal resolution functionality. -
rest
RestProperties rest
REST API functionality. -
samlCore
SamlCoreProperties samlCore
SAML Core functionality and settings. -
samlMetadataUi
SamlMetadataUIProperties samlMetadataUi
SAML Metadata UI settings and parsing. -
samlSp
SamlServiceProviderProperties samlSp
SAML SP integration settings. -
scim
ScimProperties scim
SCIM functionality. -
server
CasServerProperties server
Settings that define this CAS server instance. -
serviceRegistry
ServiceRegistryProperties serviceRegistry
Service registry functionality. -
slackMessaging
SlackMessagingProperties slackMessaging
Slack Messaging functionality. -
slo
SingleLogoutProperties slo
SLO functionality. -
smsProvider
SmsProvidersProperties smsProvider
SMS and Text messaging settings. -
spring
SpringCloudConfigurationProperties spring
Spring cloud configuration settings. -
sso
SingleSignOnProperties sso
SSO functionality. -
standalone
StandaloneConfigurationProperties standalone
Standalone configuration settings. -
tgc
TicketGrantingCookieProperties tgc
Ticket-granting cookie settings. -
theme
ThemeProperties theme
UI and theme settings. -
ticket
TicketProperties ticket
Ticketing functionality. -
view
ViewProperties view
Views and UI functionality. -
warningCookie
WarningCookieProperties warningCookie
Warning cookie settings. -
webflow
WebflowProperties webflow
Spring Webflow functionality.
-
-
-
Package org.apereo.cas.configuration.model
-
Class org.apereo.cas.configuration.model.BaseRestEndpointProperties
class BaseRestEndpointProperties extends Object implements Serializable- serialVersionUID:
- 2687020856160473089L
-
Serialized Fields
-
basicAuthPassword
String basicAuthPassword
If REST endpoint is protected via basic authentication, specify the password for authentication. -
basicAuthUsername
String basicAuthUsername
If REST endpoint is protected via basic authentication, specify the username for authentication. -
headers
Map<String,
String> headers Headers, defined as a Map, to include in the request when making the REST call. Will overwrite any header that CAS is pre-defined to send and include in the request. Key in the map should be the header name and the value in the map should be the header value. -
url
String url
The endpoint URL to contact and retrieve attributes.
-
-
Class org.apereo.cas.configuration.model.RestEndpointProperties
class RestEndpointProperties extends BaseRestEndpointProperties implements Serializable- serialVersionUID:
- 2687020856160473089L
-
Serialized Fields
-
method
String method
HTTP method to use when contacting the rest endpoint. Examples includeGET, POST
, etc.
-
-
Class org.apereo.cas.configuration.model.SpringResourceProperties
class SpringResourceProperties extends Object implements Serializable- serialVersionUID:
- 4142130961445546358L
-
-
Package org.apereo.cas.configuration.model.core
-
Class org.apereo.cas.configuration.model.core.CasServerCoreProperties
class CasServerCoreProperties extends Object implements Serializable- serialVersionUID:
- 8876382696803430817L
-
Serialized Fields
-
groovyCacheManager
ExpiringSimpleCacheProperties groovyCacheManager
Settings that control the internal cache engine used to load, parse and hold precompiled groovy scripts.
-
-
Class org.apereo.cas.configuration.model.core.CasServerHostProperties
class CasServerHostProperties extends Object implements Serializable- serialVersionUID:
- 8624916460241033347L
-
Serialized Fields
-
name
String name
Name of the networking host configured to run CAS server. A CAS host is automatically appended to the ticket ids generated by CAS. If none is specified, one is automatically detected and used by CAS.
-
-
Class org.apereo.cas.configuration.model.core.CasServerProperties
class CasServerProperties extends Object implements Serializable- serialVersionUID:
- 7876382696803430817L
-
Serialized Fields
-
name
String name
Full name of the CAS server. This is the public-facing address of the CAS deployment and not the individual node address, in the event that CAS is clustered. -
prefix
String prefix
A concatenation of the server name plus the CAS context path. Deployments at root likely need to blank out this value. -
scope
String scope
The CAS Server scope. -
tomcat
CasEmbeddedApacheTomcatProperties tomcat
Configuration settings that control the embedded Apache Tomcat container.
-
-
-
Package org.apereo.cas.configuration.model.core.audit
-
Class org.apereo.cas.configuration.model.core.audit.AuditEngineProperties
class AuditEngineProperties extends Object implements Serializable- serialVersionUID:
- 3946106584608417663L
-
Serialized Fields
-
abbreviationLength
int abbreviationLength
Abbreviate fields and entries in the audit logs where possible by the given length. This typically is applied to long service URLs that are captured in audit logs. Negative/Zero values disable the abbreviation altogether. -
alternateClientAddrHeaderName
String alternateClientAddrHeaderName
Request header to use to identify the client address.If the application is sitting behind a load balancer, the client address typically ends up being the load balancer address itself. A common example for a header here would be
X-Forwarded-For
to glean the client address from the request, assuming the load balancer is configured correctly to pass that header along. -
alternateServerAddrHeaderName
String alternateServerAddrHeaderName
Request header to use identify the server address. -
appCode
String appCode
Application code to use in the audit logs.This is a unique code that acts as the identifier for the application. In case audit logs are aggregated in a central location. This makes it easy to identify the application and filter results based on the code.
-
auditFormat
AuditEngineProperties.AuditFormatTypes auditFormat
The audit format to use in the logs. -
enabled
boolean enabled
Whether auditing functionality should be enabled. -
excludedActions
List<String> excludedActions
Indicate a list of supported audit actions that should be excluded, filtered and ignored by CAS audit managers. Each supported action can be treated as a regular expression to match against built-in CAS actions. -
httpRequestHeaders
List<String> httpRequestHeaders
Collection of HTTP headers that could be extracted from the request and tracked by the underlying audit engine and storage. By default, all request headers are tracked and stored. -
ignoreAuditFailures
boolean ignoreAuditFailures
Indicates whether catastrophic audit failures should be logged or whether errors should bubble up and thrown back. -
includeValidationAssertion
boolean includeValidationAssertion
Whether ticket validation events in the audit log should include information about the assertion that is validated; things such as the principal id and attributes released. -
numberOfDaysInHistory
int numberOfDaysInHistory
Retrieve audit records from storage, starting from now and going back the indicated number of days in history. -
supportedActions
List<String> supportedActions
Indicate a list of supported audit actions that should be recognized, processed and recorded by CAS audit managers. Each supported action can be treated as a regular expression to match against built-in CAS actions. -
useServerHostAddress
boolean useServerHostAddress
Determines whether a local DNS lookup should be made to query for the CAS server address.By default, the server is address is determined from the request. Aside from special headers, this option allows one to query DNS to look up the server address of the CAS server processing requests.
-
-
Class org.apereo.cas.configuration.model.core.audit.AuditGroovyProperties
class AuditGroovyProperties extends Object implements Serializable- serialVersionUID:
- 4887475246873585918L
-
Serialized Fields
-
template
SpringResourceProperties template
Groovy template that constructs the audit payload.
-
-
Class org.apereo.cas.configuration.model.core.audit.AuditJdbcProperties
class AuditJdbcProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 4227475246873515918L
-
Serialized Fields
-
asynchronous
boolean asynchronous
Execute the recording of audit records in async manner. This setting must almost always be set to true. -
columnLength
int columnLength
Allows one to trim the audit data by the specified length. A negative value disables the trimming process where the audit functionality no longer substrings the audit record. -
dateFormatterFunction
String dateFormatterFunction
A formatter function that receives the formatted date value and the date pattern as the first and second argument. Example:TO_DATE('%s', '%s')
. -
dateFormatterPattern
String dateFormatterPattern
Indicate the date formatter pattern used to fetch audit records from the database based on the record date. Default value isyyyy-MM-dd 00:00:00.000000
. -
maxAgeDays
int maxAgeDays
Indicates how long audit records should be kept in the database. This is used by the clean-up criteria to clean up after stale audit records. -
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often the cleaner is reloaded. -
selectSqlQueryTemplate
String selectSqlQueryTemplate
SQL query that provides a template to fetch audit records. Accepts two parameters using%s
for table name and audit date.
-
-
Class org.apereo.cas.configuration.model.core.audit.AuditMongoDbProperties
class AuditMongoDbProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- 4940497540189318943L
-
Serialized Fields
-
asynchronous
boolean asynchronous
Execute the recording of audit records in async manner. This setting must almost always be set to true.
-
-
Class org.apereo.cas.configuration.model.core.audit.AuditProperties
class AuditProperties extends Object implements Serializable- serialVersionUID:
- 3946106584608417663L
-
Serialized Fields
-
dynamoDb
AuditDynamoDbProperties dynamoDb
Family of sub-properties pertaining to dynamodb-based audit destinations. -
engine
AuditEngineProperties engine
Core auditing engine functionality and settings are captured here, separate from audit storage services. -
groovy
AuditGroovyProperties groovy
Family of sub-properties pertaining to groovy-based audit destinations. -
jdbc
AuditJdbcProperties jdbc
Family of sub-properties pertaining to Jdbc-based audit destinations. -
mongo
AuditMongoDbProperties mongo
Family of sub-properties pertaining to MongoDb-based audit destinations. -
redis
AuditRedisProperties redis
Family of sub-properties pertaining to Redis-based audit destinations. -
rest
AuditRestProperties rest
Family of sub-properties pertaining to rest-based audit destinations. -
slf4j
AuditSlf4jLogProperties slf4j
Family of sub-properties pertaining to file-based audit destinations.
-
-
Class org.apereo.cas.configuration.model.core.audit.AuditRestProperties
class AuditRestProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 3893437775090452831L
-
Serialized Fields
-
asynchronous
boolean asynchronous
Make storage requests asynchronously.
-
-
Class org.apereo.cas.configuration.model.core.audit.AuditSlf4jLogProperties
class AuditSlf4jLogProperties extends Object implements Serializable- serialVersionUID:
- 4227475246873515918L
-
Serialized Fields
-
auditableFields
String auditableFields
Control and define fields that can be accepted by the audit log. Accepted values are:who
what
action
application
when
user_agent
client_ip
server_ip
geo_location
headers
-
enabled
boolean enabled
Decide whether Slf4j audits should be enabled. -
singlelineSeparator
String singlelineSeparator
Character to separate audit fields if single-line audits are used. -
useSingleLine
boolean useSingleLine
Indicates whether audit logs should be recorded as a single-line.By default, audit logs are split into multiple lines where each action and activity takes up a full line. This is a more compact version.
-
-
-
Package org.apereo.cas.configuration.model.core.authentication
-
Class org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationIPIntelligenceProperties
class AdaptiveAuthenticationIPIntelligenceProperties extends Object implements Serializable- serialVersionUID:
- -9111174229142982880L
-
Serialized Fields
-
blackDot
AdaptiveAuthenticationIPIntelligenceProperties.BlackDot blackDot
Fetch IP diagnostic information via IP Intel. -
groovy
GroovyAdaptiveAuthenticationIPIntelligenceProperties groovy
Fetch IP diagnostic information via Groovy. -
rest
RestfulAdaptiveAuthenticationIPIntelligenceProperties rest
Fetch IP diagnostic information via REST.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationIPIntelligenceProperties.BlackDot
class BlackDot extends Object implements Serializable- serialVersionUID:
- -4655149615297049570L
-
Serialized Fields
-
emailAddress
String emailAddress
Include your contact information so you can be notified if a problem arise or if there are core changes. -
mode
String mode
DYNA_LIST
: If you get a value between 0 - 1, exclusive (like 0.99, 0.99999, 0.97), these values are generated by dynamic checks which looks for characteristics of the given IP. IPs that are either manually banned or seen on a public proxy site will return a value of 1. If you only want manually banned or public proxies, then in your code just look for the value "1". However, there are many IPs that haven't gone through manual review and IPs can change behavior very frequently (which is why dynamic checks exist in the first place). If you only look for the value of "1", then expect to have more proxy / VPN / bad IPs go through your system, however, false positives are less likely if you use the dynamic ban list option. If you wish to use only manually banned and public proxy IPs, append the parameter flags=m, the system will only return a result of 0 or 1. This option is the best to start off with that will have a noticeable impact in bot / proxy / VPN traffic, especially if you don't have any data sets to test with the system.DYNA_CHECK
: In this scenario, you want to use dynamic checks as well but you want to skip additional checks to see if the IP is a bad ip (see What do you mean by "Bad IP"?). In this mode, some bad IPs are still detected but the system does not attempt to go through the full bad IPs check because the time for the extra checks vary wildly (between an extra 200ms to 2 seconds). In this mode, false positives are more likely than dynamic ban lists only. Scores are lower compared to the full IP check (without any flag options) because less attributes are considered. If you wish to use dynamic ban list and dynamic checks only, append the parameter flags=b. This option is the best if dynamic ban lists isn't catching enough IPs but you don't want to run the full check because it takes too long and/or you want to have a predictable execution time.FULL
: Let the system to do a full lookup with one query.
-
url
String url
URL endpoint of the service to make API calls.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationPolicyProperties
class AdaptiveAuthenticationPolicyProperties extends Object implements Serializable- serialVersionUID:
- -1840174229142982880L
-
Serialized Fields
-
rejectBrowsers
String rejectBrowsers
Comma-separated list of strings representing browser user agents to be rejected from participating in authentication transactions. -
rejectCountries
String rejectCountries
Comma-separated list of strings representing countries to be rejected from participating in authentication transactions. -
rejectIpAddresses
String rejectIpAddresses
Comma-separated list of strings representing IP addresses to be rejected from participating in authentication transactions. -
requireMultifactor
Map<String,
String> requireMultifactor A map of (mfaProviderId -> adaptiveRegexPattern
) that tells CAS when to trigger an MFA authentication transaction.This property binds a valid mfa provider to an adaptive regex pattern representing either IP address, user-agent or geolocation. When either of those collected pieces of adaptive data matches configured regex pattern during authentication event, an MFA authentication transaction is triggered for an MFA provider represented by the map's key.
-
requireTimedMultifactor
List<TimeBasedAuthenticationProperties> requireTimedMultifactor
This property binds a valid mfa provider to a collection of rules that deal with triggering mfa based on that provider based on properties of date/time. One may want to force mfa during weekends, after hours, etc and the ruleset provides a modest configuration set where time can also be treated as trigger.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationProperties
class AdaptiveAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -1840174229142982880L
-
Serialized Fields
-
ipIntel
AdaptiveAuthenticationIPIntelligenceProperties ipIntel
Control settings that handle and calculate IP intelligence, etc. -
policy
AdaptiveAuthenticationPolicyProperties policy
Adaptive authentication policy-related settings. -
risk
RiskBasedAuthenticationProperties risk
Control settings that handle and calculate risky authentication attempts.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AttributeDefinitionStoreProperties
class AttributeDefinitionStoreProperties extends Object implements Serializable- serialVersionUID:
- 1248812041234879300L
-
Serialized Fields
-
json
SpringResourceProperties json
Load attribute definitions from a JSON resource.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AuthenticationAttributeReleaseProperties
class AuthenticationAttributeReleaseProperties extends Object implements Serializable- serialVersionUID:
- 6123748197108749858L
-
Serialized Fields
-
enabled
boolean enabled
Whether authentication or protocol attributes should be released to clients. This flag specifically address non-principal attributes, or otherwise attributes that carry metadata about the authentication event itself that are not strictly tied to a principal or person data. The change here should consider such attributes regardless of the specific protocol or authentication flow (CAS, OIDC, etc). -
neverRelease
List<String> neverRelease
List of authentication attributes that should never be released. -
onlyRelease
List<String> onlyRelease
List of authentication attributes that should be the only ones released. An empty list indicates all attributes should be released.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AuthenticationEngineProperties
class AuthenticationEngineProperties extends Object implements Serializable- serialVersionUID:
- -2475347572099983874L
-
Serialized Fields
-
groovyPostProcessor
GroovyAuthenticationEngineProcessorProperties groovyPostProcessor
Groovy script to handle the authentication post-processor. -
groovyPreProcessor
GroovyAuthenticationEngineProcessorProperties groovyPreProcessor
Groovy script to handle the authentication pre-processor.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AuthenticationExceptionsProperties
class AuthenticationExceptionsProperties extends Object implements Serializable- serialVersionUID:
- -2385347572099983874L
-
Serialized Fields
-
exceptions
List<Class<? extends Throwable>> exceptions
Define custom exceptions that can then be mapped to message bundles for custom error handling.By default CAS is configured to recognize and handle a number of exceptions for during authentication. Each exception has the specific message bundle mapping so that a specific message could be presented to end users on the login form. Any un-recognized or un-mapped exceptions results in a generic message. To map custom exceptions, one would need map the exception, they can be defined here and then linked to custom messages.
-
groovy
GroovyAuthenticationExceptionsProperties groovy
Handle exceptions using a groovy script.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AuthenticationPolicyProperties
class AuthenticationPolicyProperties extends Object implements Serializable- serialVersionUID:
- 2039700004862120066L
-
Serialized Fields
-
all
AllCredentialsAuthenticationPolicyProperties all
Satisfied if and only if all given credentials are successfully authenticated. Support for multiple credentials is new in CAS and this handler would only be acceptable in a multi-factor authentication situation. -
allHandlers
AllHandlersAuthenticationPolicyProperties allHandlers
Satisfied if and only if all given authn handlers are successfully authenticated. -
any
AnyCredentialAuthenticationPolicyProperties any
Satisfied if any authentication handler succeeds. Allows options to avoid short circuiting and try every handler even if one prior succeeded. -
groovy
List<GroovyAuthenticationPolicyProperties> groovy
Execute a groovy script to detect authentication policy. -
notPrevented
NotPreventedAuthenticationPolicyProperties notPrevented
Satisfied if an only if the authentication event is not blocked by aPreventedException
. -
req
RequiredAuthenticationHandlerAuthenticationPolicyProperties req
Satisfied if an only if a specified handler successfully authenticates its credential. -
requiredAttributes
RequiredAttributesAuthenticationPolicyProperties requiredAttributes
Satisfied if an only if the authentication contains the required attributes. -
requiredHandlerAuthenticationPolicyEnabled
boolean requiredHandlerAuthenticationPolicyEnabled
Global authentication policy that is applied when CAS attempts to vend and validate tickets. Checks to make sure a particular authentication handler has successfully executed and validated credentials. Required handlers are defined per registered service. -
rest
List<RestAuthenticationPolicyProperties> rest
Execute a rest endpoint to detect authentication policy. -
sourceSelectionEnabled
boolean sourceSelectionEnabled
If true, allows CAS to select authentication handlers based on the credential source. This allows the authentication engine to restrict the task of validating credentials to the selected source or account repository, as opposed to every authentication handler registered with CAS at runtime. -
uniquePrincipal
UniquePrincipalAuthenticationPolicyProperties uniquePrincipal
Satisfied if an only if the principal has not already authenticated and does not have an sso session with CAS. Otherwise, prevents the user from logging in more than once. Note that this policy adds an extra burden to the ticket store/registry as CAS needs to query all relevant tickets found in the registry to cross-check the requesting username with existing tickets.
-
-
Class org.apereo.cas.configuration.model.core.authentication.AuthenticationProperties
class AuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -1233126985007049516L
-
Serialized Fields
-
accept
AcceptAuthenticationProperties accept
Accepting authentication based on statically defined users. -
adaptive
AdaptiveAuthenticationProperties adaptive
Adaptive authentication settings. -
attributeRepository
PrincipalAttributesProperties attributeRepository
Attribute repository settings. -
authenticationAttributeRelease
AuthenticationAttributeReleaseProperties authenticationAttributeRelease
Authentication attribute release settings. -
azureActiveDirectory
AzureActiveDirectoryAuthenticationProperties azureActiveDirectory
Azure AD authentication settings. -
cassandra
CassandraAuthenticationProperties cassandra
Cassandra authentication settings. -
cloudDirectory
AmazonCloudDirectoryProperties cloudDirectory
Cloud Directory authentication settings. -
cognito
AmazonCognitoAuthenticationProperties cognito
Configuration settings for cognito authentication. -
core
CoreAuthenticationProperties core
Core authentication settings. -
errors
AuthenticationExceptionsProperties errors
Customization of authentication errors and exceptions. -
file
FileAuthenticationProperties file
File-based authentication. -
groovy
GroovyAuthenticationProperties groovy
Groovy authentication settings. -
gua
GraphicalUserAuthenticationProperties gua
Graphical User authentication settings. -
jaas
List<JaasAuthenticationProperties> jaas
Collection of settings related to JAAS authentication. These settings are required to be indexed (i.e. jaas[0].xyz). -
jdbc
JdbcAuthenticationProperties jdbc
JDBC authentication settings. -
json
JsonResourceAuthenticationProperties json
JSON authentication settings. -
ldap
List<LdapAuthenticationProperties> ldap
Collection of settings related to LDAP authentication. These settings are required to be indexed (i.e. ldap[0].xyz). -
mfa
MultifactorAuthenticationProperties mfa
MFA settings. -
mongo
MongoDbAuthenticationProperties mongo
MongoDb authentication settings. -
oauth
OAuthProperties oauth
OAuth authentication settings. -
oidc
OidcProperties oidc
OpenID Connect authentication settings. -
okta
OktaAuthenticationProperties okta
Okta authentication settings. -
pac4j
Pac4jDelegatedAuthenticationProperties pac4j
Pac4j delegated authentication settings. -
passwordless
PasswordlessAuthenticationProperties passwordless
Passwordless authentication settings. -
passwordSync
PasswordSynchronizationProperties passwordSync
Passwordless sync settings. -
pm
PasswordManagementProperties pm
Password management settings. -
policy
AuthenticationPolicyProperties policy
Authentication policy settings. -
qr
QRAuthenticationProperties qr
QR authentication settings. -
radius
RadiusProperties radius
RADIUS authentication settings. -
redis
RedisAuthenticationProperties redis
Redis authentication settings. -
reject
RejectAuthenticationProperties reject
Blocked authentication. -
remote
RemoteAuthenticationProperties remote
Authentication based on a remote of a request. -
rest
List<RestAuthenticationProperties> rest
REST-based authentication settings. -
samlIdp
SamlIdPProperties samlIdp
SAML identity provider settings. -
shibIdp
ShibbolethIdPProperties shibIdp
Authentication settings when integrating CAS with a shibboleth IdP. -
soap
SoapAuthenticationProperties soap
Settings that control SOAP authentication. -
spnego
SpnegoProperties spnego
SPNEGO authentication settings. -
surrogate
SurrogateAuthenticationProperties surrogate
Surrogate authentication settings. -
syncope
SyncopeAuthenticationProperties syncope
Syncope authentication settings. -
throttle
ThrottleProperties throttle
Authentication throttling settings. -
token
TokenAuthenticationProperties token
Token/JWT authentication settings. -
trusted
TrustedAuthenticationProperties trusted
Trusted authentication. -
wsfed
List<WsFederationDelegationProperties> wsfed
Collection of settings related to WsFed delegated authentication. These settings are required to be indexed (i.e. wsfed[0].xyz). -
wsfedIdp
WsFederationProperties wsfedIdp
WS-FED IdP authentication settings. -
x509
X509Properties x509
X509 authentication settings.
-
-
Class org.apereo.cas.configuration.model.core.authentication.CoreAuthenticationProperties
class CoreAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -2244126985007049516L
-
Serialized Fields
-
engine
AuthenticationEngineProperties engine
Customization of authentication engine and pre/post processing. -
groovyAuthenticationResolution
GroovyAuthenticationHandlerResolutionProperties groovyAuthenticationResolution
Attempt to resolve/filter authentication handlers for the current transaction based on what is globally defined via an external groovy script. -
serviceAuthenticationResolution
RegisteredServiceAuthenticationHandlerResolutionProperties serviceAuthenticationResolution
Attempt to resolve/filter authentication handlers for the current transaction based on what is globally defined via the definition of a registered service and how it filters the required authentication handlers.
-
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyAdaptiveAuthenticationIPIntelligenceProperties
class GroovyAdaptiveAuthenticationIPIntelligenceProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyAuthenticationEngineProcessorProperties
class GroovyAuthenticationEngineProcessorProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyAuthenticationExceptionsProperties
class GroovyAuthenticationExceptionsProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- -1385347572099983874L
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyAuthenticationHandlerResolutionProperties
class GroovyAuthenticationHandlerResolutionProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Serialized Fields
-
order
int order
The execution order of this resolver in the chain of authentication handler resolvers.
-
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyAuthenticationPolicyProperties
class GroovyAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- 8713917167124116270L
-
Serialized Fields
-
script
String script
Path to the groovy script to execute.
-
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyPasswordPolicyProperties
class GroovyPasswordPolicyProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyPrincipalAttributesProperties
class GroovyPrincipalAttributesProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 7901595963842506684L
-
Serialized Fields
-
caseInsensitive
boolean caseInsensitive
Whether attribute repository should consider the underlying attribute names in a case-insensitive manner. -
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled.
-
-
Class org.apereo.cas.configuration.model.core.authentication.GroovyPrincipalTransformationProperties
class GroovyPrincipalTransformationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.core.authentication.GrouperPrincipalAttributesProperties
class GrouperPrincipalAttributesProperties extends Object implements Serializable- serialVersionUID:
- 7139471665871712818L
-
Serialized Fields
-
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
parameters
Map<String,
String> parameters Custom parameters defined as aMap
to pass onto the attribute repository which ultimately will be passed onto the grouper client. Key is the parameter name and value is the parameter value. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled. -
subjectType
String subjectType
Indicate how the username passed to the attribute repository should be set and treated by the grouper client to look up records.Accepted values are:
SUBJECT_IDENTIFIER
,SUBJECT_ATTRIBUTE_NAME
,SUBJECT_ID
. -
usernameAttribute
String usernameAttribute
The attribute name that would be used to look up and determine the user id from the query map. The value linked to this attribute would be used as the username or subject by the attribute repository to pass on to the ultimate source to locate the user record.
-
-
Class org.apereo.cas.configuration.model.core.authentication.HttpClientProperties
class HttpClientProperties extends Object implements Serializable- serialVersionUID:
- -7494946569869245770L
-
Serialized Fields
-
allowLocalUrls
boolean allowLocalUrls
Whether CAS should accept local URLs. For examplehttp(s)://localhost/logout
. -
asyncTimeout
String asyncTimeout
Indicates timeout for async operations. -
authorityValidationRegex
String authorityValidationRegex
If specified the regular expression will be used to validate the url's authority. -
authorityValidationRegExCaseSensitive
boolean authorityValidationRegExCaseSensitive
Whether the regular expression specified withHttpClientProperties.authorityValidationRegex
should be handled as case-sensitive (true
) or case-insensitive (false
). If noHttpClientProperties.authorityValidationRegex
is set, this value does not have any effect. -
connectionTimeout
String connectionTimeout
Connection timeout for all operations that reach out to URL endpoints. -
defaultHeaders
Map<String,
String> defaultHeaders The default headers to use for any HTTP connection. This is defined as map, where the key is the header name and the value is the header value that should be sent along with request. -
hostNameVerifier
String hostNameVerifier
Enable hostname verification when attempting to contact URL endpoints. May also be set tonone
to disable verification. -
proxyHost
String proxyHost
Send requests via a proxy; define the hostname. -
proxyPort
int proxyPort
Send requests via a proxy; define the proxy port. Negative/zero values should deactivate the proxy configuration for the http client. -
responseTimeout
String responseTimeout
Determines the timeout until arrival of a response from the opposite endpoint. A timeout value of zero is interpreted as an infinite timeout. Please note that response timeout may be unsupported by HTTP transports with message multiplexing. -
socketTimeout
String socketTimeout
Determines the default socket timeout value for I/O operations. -
truststore
HttpClientTrustStoreProperties truststore
Configuration properties namespace for embedded Java SSL trust store.
-
-
Class org.apereo.cas.configuration.model.core.authentication.HttpClientTrustStoreProperties
class HttpClientTrustStoreProperties extends Object implements Serializable- serialVersionUID:
- -1357168622083627654L
-
Class org.apereo.cas.configuration.model.core.authentication.JsonPrincipalAttributesProperties
class JsonPrincipalAttributesProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- -6573755681498251678L
-
Serialized Fields
-
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled.
-
-
Class org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties
class PasswordEncoderProperties extends Object implements Serializable- serialVersionUID:
- -2396781005262069816L
-
Serialized Fields
-
characterEncoding
String characterEncoding
The encoding algorithm to use such as 'UTF-8'. Relevant when the type used isDEFAULT
. -
encodingAlgorithm
String encodingAlgorithm
The encoding algorithm to use such asMD5
. Relevant when the type used isDEFAULT
orGLIBC_CRYPT
. When used withPasswordEncoderProperties.PasswordEncoderTypes.PBKDF2
, it should be one ofPBKDF2WithHmacSHA1
,PBKDF2WithHmacSHA256
orPBKDF2WithHmacSHA512
. -
hashLength
int hashLength
When used byPasswordEncoderProperties.PasswordEncoderTypes.ARGON2
, it indicates the hash strength/length. -
iterations
int iterations
When used byPasswordEncoderProperties.PasswordEncoderTypes.PBKDF2
, it indicates the required number of iterations. -
secret
String secret
Secret to use withPasswordEncoderProperties.PasswordEncoderTypes.STANDARD
,PasswordEncoderProperties.PasswordEncoderTypes.PBKDF2
,PasswordEncoderProperties.PasswordEncoderTypes.BCRYPT
,PasswordEncoderProperties.PasswordEncoderTypes.GLIBC_CRYPT
password encoders. Secret usually is an optional setting. -
strength
int strength
Strength or number of iterations to use for password hashing. Usually relevant when dealing withPasswordEncoderProperties.PasswordEncoderTypes.BCRYPT
,PasswordEncoderProperties.PasswordEncoderTypes.PBKDF2
orPasswordEncoderProperties.PasswordEncoderTypes.GLIBC_CRYPT
. When used byPasswordEncoderProperties.PasswordEncoderTypes.ARGON2
orPasswordEncoderProperties.PasswordEncoderTypes.PBKDF2
, it indicates the salt strength. -
type
String type
Define the password encoder type to use. Type may be specified as blank orNONE
to disable password encoding. It may also refer to a fully-qualified class name that implements the Spring Security'sPasswordEncoder
interface if you wish you define your own encoder.The following types may be used:
NONE
: No password encoding (i.e. plain-text) takes place.DEFAULT
: Use theDefaultPasswordEncoder
of CAS. For message-digest algorithms viacharacter-encoding
andencoding-algorithm
.BCRYPT
: Use theBCryptPasswordEncoder
based on the strength provided and an optional secret.SCRYPT
: Use theSCryptPasswordEncoder
.PBKDF2
: Use thePbkdf2PasswordEncoder
based on the strength provided and an optional secret.STANDARD
: Use theStandardPasswordEncoder
based on the secret provided.SSHA
: Use theLdapShaPasswordEncoder
supports Ldap SHA and SSHA (salted-SHA). The values are base-64 encoded and have the label {SHA} or {SSHA} prepended to the encoded hash.GLIBC_CRYPT
: Use theGlibcCryptPasswordEncoder
based on theencoding-algorithm
, strength provided and an optional secret.org.example.MyEncoder
: An implementation ofPasswordEncoder
of your own choosing.file:///path/to/script.groovy
: Path to a Groovy script charged with handling password encoding operations.
-
-
Class org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties
class PasswordPolicyProperties extends Object implements Serializable- serialVersionUID:
- -3878237508646993100L
-
Serialized Fields
-
accountStateHandlingEnabled
boolean accountStateHandlingEnabled
Indicates whether account state handling should be enabled to process warnings or errors reported back from the authentication response, produced by the source. -
displayWarningOnMatch
boolean displayWarningOnMatch
Indicates if warning should be displayed, when the ldap attribute value matches thePasswordPolicyProperties.warningAttributeValue
. -
enabled
boolean enabled
Whether password policy should be enabled. -
groovy
GroovyPasswordPolicyProperties groovy
Handle password policy via Groovy script. -
loginFailures
int loginFailures
When dealing with FreeIPA, indicates the number of allows login failures. -
policyAttributes
Map<String,
Class<? extends LoginException>> policyAttributes Key-value structure (Map) that indicates a list of boolean attributes as keys. If either attribute value is true, indicating an account state is flagged, the corresponding error can be thrown. ExampleaccountLocked=javax.security.auth.login.AccountLockedException
-
strategy
PasswordPolicyProperties.PasswordPolicyHandlingOptions strategy
Decide how authentication should handle password policy changes. -
warnAll
boolean warnAll
Always display the password expiration warning regardless. -
warningAttributeName
String warningAttributeName
Used by an account state handling policy that only calculates account warnings in case the entry carries this attribute. -
warningAttributeValue
String warningAttributeValue
Used by an account state handling policy that only calculates account warnings in case the entry carries an attributePasswordPolicyProperties.warningAttributeName
whose value matches this field. -
warningDays
int warningDays
This is used to calculate a warning period to see if account expiry is within the calculated window.
-
-
Class org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties
class PersonDirectoryPrincipalResolverProperties extends Object implements Serializable- serialVersionUID:
- 8929912041234879300L
-
Serialized Fields
-
activeAttributeRepositoryIds
String activeAttributeRepositoryIds
Activated attribute repository identifiers that should be used for fetching attributes if attribute resolution is enabled. The list here may include identifiers separated by comma. -
attributeRepositorySelection
Map<String,
String> attributeRepositorySelection Control the behavior of the attribute repository selection by authentication method or handler. The map here is keyed by the authentication handler name, and the value is the attribute repository identifiers separated by comma. When the authentication handler is executed, the attribute repositories assigned to this handler will be selected to fetch attributes. Note that the resolution engine will always favor attribute repositories assigned to the service definition, if any and as part of its authentication policy, over this global setting. -
attributeResolutionEnabled
TriStateBoolean attributeResolutionEnabled
Whether attribute repositories should be contacted to fetch person attributes. Defaults to true if not set. -
principalAttribute
String principalAttribute
Attribute name to use to indicate the identifier of the principal constructed. If the attribute is blank or has no values, the default principal id will be used determined by the underlying authentication engine. The principal id attribute usually is removed from the collection of attributes collected, though this behavior depends on the schematics of the underlying authentication strategy. -
principalResolutionConflictStrategy
String principalResolutionConflictStrategy
In the event that the principal resolution engine resolves more than one principal, (specially if such principals in the chain have different identifiers), this setting determines strategy by which the principal id would be chosen from the chain. Accepted values are:last
,first
. -
principalResolutionFailureFatal
TriStateBoolean principalResolutionFailureFatal
When true, throws an error back indicating that principal resolution has failed and no principal can be found based on the authentication requirements. Otherwise, logs the condition as an error without raising a catastrophic error. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
returnNull
TriStateBoolean returnNull
Return a null principal object if no attributes can be found for the principal. -
useExistingPrincipalId
TriStateBoolean useExistingPrincipalId
Uses an existing principal id that may have already been established in order to run person directory queries. This is generally useful in situations where authentication is delegated to an external identity provider and a principal is first established to then query an attribute source.
-
-
Class org.apereo.cas.configuration.model.core.authentication.PrincipalAttributesCoreProperties
class PrincipalAttributesCoreProperties extends Object implements Serializable- serialVersionUID:
- -4525569588579072890L
-
Serialized Fields
-
aggregation
PrincipalAttributesCoreProperties.AggregationStrategyTypes aggregation
Indicates how the results of multiple attribute repositories should be aggregated together. -
defaultAttributesToRelease
Set<String> defaultAttributesToRelease
CAS provides the ability to release a bundle of principal attributes to all services by default. This bundle is not defined on a per-service basis and is always combined with attributes produced by the specific release policy of the service, such that for instance, you can devise rules to always releasegivenName
andcn
to every application, and additionally allow other specific principal attributes for only some applications per their attribute release policy. -
expirationTime
int expirationTime
Indicates the global cache expiration period, once attributes are fetched from the underlying attribute repository. A zero or negative value indicates that no attribute caching should take place where attributes must always be fetched from the source. -
expirationTimeUnit
String expirationTimeUnit
Expiration caching time unit for attributes. -
maximumCacheSize
int maximumCacheSize
Indicates the global cache size used to store attributes retrieved from the attribute repository. -
merger
PrincipalAttributesCoreProperties.MergingStrategyTypes merger
Merging strategies can be used to resolve conflicts when the same attributes are found from multiple sources. A merging strategy is used to handle conflicts for both principal attributes as well as those that are captured by the authentication attempt. Conflicts arise when the multiple attribute sources or repositories produce the same attribute with the same name, or when there are multiple legs in an authentication flow that produce the same attribute as authentication metadata for each leg of the attempt (i.e. when going through MFA flows). -
recoverExceptions
boolean recoverExceptions
Recover from LDAP exceptions and continue with partial results. Otherwise, die and do not allow to log in. -
requireAllRepositorySources
boolean requireAllRepositorySources
In the event that multiple attribute repositories are defined, setting this option totrue
forces all repositories to produce a person object. If any of the repositories fails to produce a person or person attributes, the resolution engine will halt to short-circuit the process, failing to resolve the person altogether. -
stopCascadingWhenNoInitialResults
boolean stopCascadingWhenNoInitialResults
WhenPrincipalAttributesCoreProperties.aggregation
is set toPrincipalAttributesCoreProperties.AggregationStrategyTypes.CASCADE
, this setting controls whether subsequent attribute repositories need to be contacted for person attributes, if the first attribute repository's query does not produce any results.
-
-
Class org.apereo.cas.configuration.model.core.authentication.PrincipalAttributesProperties
class PrincipalAttributesProperties extends Object implements Serializable- serialVersionUID:
- -4515569588579072890L
-
Serialized Fields
-
attributeDefinitionStore
AttributeDefinitionStoreProperties attributeDefinitionStore
Reference to the attribute definition store that contains metadata about attributes and their encoding specifics. -
azureActiveDirectory
List<AzureActiveDirectoryAttributesProperties> azureActiveDirectory
Retrieve attributes from multiple Microsoft Graph instances. -
core
PrincipalAttributesCoreProperties core
Attribute resolution core/common settings. -
groovy
List<GroovyPrincipalAttributesProperties> groovy
Retrieve attributes from multiple Groovy scripts. -
grouper
GrouperPrincipalAttributesProperties grouper
Use Grouper to fetch principal attributes. You will also need to ensuregrouper.client.properties
is available on the classpath (i.e.src/main/resources
) and it contains the following:grouperClient.webService.url = http://192.168.99.100:32768/grouper-ws/servicesRest
grouperClient.webService.login = banderson
grouperClient.webService.password = password
-
jdbc
List<JdbcPrincipalAttributesProperties> jdbc
Retrieve attributes from multiple JDBC repositories. -
json
List<JsonPrincipalAttributesProperties> json
Retrieve attributes from multiple JSON file repositories. -
ldap
List<LdapPrincipalAttributesProperties> ldap
Retrieve attributes from multiple LDAP servers. -
okta
OktaPrincipalAttributesProperties okta
Fetch user attributes from Okta. -
redis
List<RedisPrincipalAttributesProperties> redis
Retrieve attributes from redis repositories. -
rest
List<RestPrincipalAttributesProperties> rest
Retrieve attributes from multiple REST endpoints. -
stub
StubPrincipalAttributesProperties stub
Use stubbed attribute definitions as the underlying attribute repository source. Static attributes that need to be mapped to a hardcoded value belong here. -
syncope
SyncopePrincipalAttributesProperties syncope
Fetch user attributes from Apache Syncope.
-
-
Class org.apereo.cas.configuration.model.core.authentication.PrincipalTransformationProperties
class PrincipalTransformationProperties extends Object implements Serializable- serialVersionUID:
- 1678602647607236322L
-
Serialized Fields
-
blockingPattern
String blockingPattern
A regular expression that will be used against the username to match for blocking/forbidden values. If a match is found, an exception will be thrown and principal transformation will fail. -
caseConversion
PrincipalTransformationProperties.CaseConversion caseConversion
Indicate whether the principal identifier should be transformed into upper-case, lower-case, etc. -
groovy
GroovyPrincipalTransformationProperties groovy
Transform usernames using a Groovy resource. -
pattern
String pattern
A regular expression that will be used against the provided username for username extractions. On a successful match, the first matched group in the pattern will be used as the extracted username. -
prefix
String prefix
Prefix to add to the principal id prior to authentication. -
suffix
String suffix
Suffix to add to the principal id prior to authentication.
-
-
Class org.apereo.cas.configuration.model.core.authentication.RegisteredServiceAuthenticationHandlerResolutionProperties
class RegisteredServiceAuthenticationHandlerResolutionProperties extends Object implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Serialized Fields
-
order
int order
The execution order of this resolver in the chain of authentication handler resolvers.
-
-
Class org.apereo.cas.configuration.model.core.authentication.RestAuthenticationPolicyProperties
class RestAuthenticationPolicyProperties extends BaseRestEndpointProperties implements Serializable- serialVersionUID:
- -8979188862774758908L
-
Class org.apereo.cas.configuration.model.core.authentication.RestfulAdaptiveAuthenticationIPIntelligenceProperties
class RestfulAdaptiveAuthenticationIPIntelligenceProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 3659099897056632608L
-
Class org.apereo.cas.configuration.model.core.authentication.RestPrincipalAttributesProperties
class RestPrincipalAttributesProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -30055974448426360L
-
Serialized Fields
-
caseInsensitive
boolean caseInsensitive
Whether attribute repository should consider the underlying attribute names in a case-insensitive manner. -
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled. -
usernameAttribute
String usernameAttribute
The attribute name that would be used to look up and determine the user id from the query map. The value linked to this attribute would be used as the username or subject by the attribute repository to pass on to the ultimate source to locate the user record.
-
-
Class org.apereo.cas.configuration.model.core.authentication.StubPrincipalAttributesProperties
class StubPrincipalAttributesProperties extends Object implements Serializable- serialVersionUID:
- 7017508256487553063L
-
Serialized Fields
-
attributes
Map<String,
String> attributes Static attributes that need to be mapped to a hardcoded value belong here. The structure follows a key-value pair where key is the attribute name and value is the attribute value. The key is the attribute fetched from the source and the value is the attribute name CAS should use for virtual renames.Attributes may be allowed to be virtually renamed and remapped. The key in the attribute map is the original attribute, and the value should be the virtually-renamed attribute.
-
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled.
-
-
Class org.apereo.cas.configuration.model.core.authentication.TimeBasedAuthenticationProperties
class TimeBasedAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 3826749727400569308L
-
Serialized Fields
-
onDays
List<String> onDays
Trigger mfa on the following days of the week. -
onOrAfterHour
long onOrAfterHour
Trigger mfa after this hour, specified in 24-hour format. -
onOrBeforeHour
long onOrBeforeHour
Trigger mfa before this hour, specified in 24-hour format. -
providerId
String providerId
The mfa provider id that should be triggered.
-
-
-
Package org.apereo.cas.configuration.model.core.authentication.passwordsync
-
Class org.apereo.cas.configuration.model.core.authentication.passwordsync.LdapPasswordSynchronizationProperties
class LdapPasswordSynchronizationProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -2521286056194686825L
-
Serialized Fields
-
enabled
boolean enabled
Whether or not password sync should be enabled for this ldap instance. -
passwordAttribute
String passwordAttribute
Name of the LDAP attribute that should hold the password. -
passwordSynchronizationFailureFatal
boolean passwordSynchronizationFailureFatal
If synchronization fails for any reason, (ie. password update fails or user account cannot be found), control whether the failure should be considered fatal.
-
-
Class org.apereo.cas.configuration.model.core.authentication.passwordsync.PasswordSynchronizationProperties
class PasswordSynchronizationProperties extends Object implements Serializable- serialVersionUID:
- -3878237508646993100L
-
Serialized Fields
-
enabled
boolean enabled
Allow password synchronization to be turned off globally. -
ldap
List<LdapPasswordSynchronizationProperties> ldap
Options for password sync via LDAP.
-
-
-
Package org.apereo.cas.configuration.model.core.authentication.policy
-
Class org.apereo.cas.configuration.model.core.authentication.policy.AllCredentialsAuthenticationPolicyProperties
class AllCredentialsAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- 928409456096460793L
-
Class org.apereo.cas.configuration.model.core.authentication.policy.AllHandlersAuthenticationPolicyProperties
class AllHandlersAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- 928409456096460793L
-
Class org.apereo.cas.configuration.model.core.authentication.policy.AnyCredentialAuthenticationPolicyProperties
class AnyCredentialAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- 4600357071276768175L
-
Serialized Fields
-
tryAll
boolean tryAll
Avoid short circuiting and try every handler even if one prior succeeded. Ensure number of provided credentials does not match the sum of authentication successes and failures
-
-
Class org.apereo.cas.configuration.model.core.authentication.policy.BaseAuthenticationPolicyProperties
class BaseAuthenticationPolicyProperties extends Object implements Serializable- serialVersionUID:
- -1830217018850738715L
-
Serialized Fields
-
enabled
boolean enabled
Enables the policy. -
name
String name
The name of the authentication policy. -
order
int order
The execution order of this policy.
-
-
Class org.apereo.cas.configuration.model.core.authentication.policy.NotPreventedAuthenticationPolicyProperties
class NotPreventedAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- 8184166804664983317L
-
Class org.apereo.cas.configuration.model.core.authentication.policy.RequiredAttributesAuthenticationPolicyProperties
class RequiredAttributesAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- -4216244023952315821L
-
Class org.apereo.cas.configuration.model.core.authentication.policy.RequiredAuthenticationHandlerAuthenticationPolicyProperties
class RequiredAuthenticationHandlerAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- -4206244023952305821L
-
Serialized Fields
-
handlerName
String handlerName
The handler name which must have successfully executed and validated credentials. -
tryAll
boolean tryAll
Ensure number of provided credentials does not match the sum of authentication successes and failures.
-
-
Class org.apereo.cas.configuration.model.core.authentication.policy.UniquePrincipalAuthenticationPolicyProperties
class UniquePrincipalAuthenticationPolicyProperties extends BaseAuthenticationPolicyProperties implements Serializable- serialVersionUID:
- -4930217087310738715L
-
Serialized Fields
-
maximumAllowedSessions
int maximumAllowedSessions
Total number of allowed sessions that users can use simultaneously. Default is0
, which means user can only have one session.
-
-
-
Package org.apereo.cas.configuration.model.core.authentication.risk
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationCoreProperties
class RiskBasedAuthenticationCoreProperties extends Object implements Serializable- serialVersionUID:
- 511801361041617794L
-
Serialized Fields
-
daysInRecentHistory
long daysInRecentHistory
Indicates how far back the search in authentication history must go in order to locate authentication events. -
threshold
double threshold
The risk threshold factor beyond which the authentication event may be considered risky.
-
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationDateTimeProperties
class RiskBasedAuthenticationDateTimeProperties extends Object implements Serializable- serialVersionUID:
- -3776875583039922050L
-
Serialized Fields
-
enabled
boolean enabled
Enable date/time checking and criteria to calculate risky authentication attempts. -
windowInHours
int windowInHours
The hourly window used before and after each authentication event in calculation to establish a pattern that can then be compared against the threshold.
-
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationGeoLocationProperties
class RiskBasedAuthenticationGeoLocationProperties extends Object implements Serializable- serialVersionUID:
- 4115333388680538358L
-
Serialized Fields
-
enabled
boolean enabled
Enable geolocation checking and criteria to calculate risky authentication attempts.
-
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationIpAddressProperties
class RiskBasedAuthenticationIpAddressProperties extends Object implements Serializable- serialVersionUID:
- 577801361041617794L
-
Serialized Fields
-
enabled
boolean enabled
Enable IP address checking and criteria to calculate risky authentication attempts.
-
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationProperties
class RiskBasedAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 3826749727400569308L
-
Serialized Fields
-
agent
RiskBasedAuthenticationUserAgentProperties agent
Handle risky authentication attempts via a user-agent criteria. -
core
RiskBasedAuthenticationCoreProperties core
Core configuration settings for assessing risky authentication attempts. -
dateTime
RiskBasedAuthenticationDateTimeProperties dateTime
Handle risky authentication attempts via an date/time criteria. -
geoLocation
RiskBasedAuthenticationGeoLocationProperties geoLocation
Handle risky authentication attempts via geolocation criteria. -
ip
RiskBasedAuthenticationIpAddressProperties ip
Handle risky authentication attempts via an IP criteria. -
response
RiskBasedAuthenticationResponseProperties response
Design how responses should be handled, in the event that an authentication event is deemed risky.
-
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationResponseProperties
class RiskBasedAuthenticationResponseProperties extends Object implements Serializable- serialVersionUID:
- 8254082561120701582L
-
Serialized Fields
-
blockAttempt
boolean blockAttempt
If an authentication attempt is deemed risky, block the response and do not allow further attempts. -
getRiskVerificationHistory
String getRiskVerificationHistory
Risk confirmation attempts are only evaluated up to a point in history, controlled by this setting. That is to say, authentication attempts that are detected as risky are evaluated against previous confirmations in history using this time window. Once we move beyond this point in the history of authentication attempts, the confirmations no longer hold and the user will be asked to verify their attempt again. -
mail
EmailProperties mail
Email settings for notifications, If an authentication attempt is deemed risky. -
mfaProvider
String mfaProvider
If an authentication attempt is deemed risky, force a multi-factor authentication event noted by the provider id here. -
riskVerificationTokenExpiration
String riskVerificationTokenExpiration
Control the expiration window of the verification token that can be used to verify and confirm risky authentication attempts. -
riskyAuthenticationAttribute
String riskyAuthenticationAttribute
If an authentication attempt is deemed risky, communicate the nature of this attempt back to the application via a special attribute in the final CAS response indicated here. -
sms
SmsProperties sms
SMS settings for notifications, If an authentication attempt is deemed risky.
-
-
Class org.apereo.cas.configuration.model.core.authentication.risk.RiskBasedAuthenticationUserAgentProperties
class RiskBasedAuthenticationUserAgentProperties extends Object implements Serializable- serialVersionUID:
- 7766080681971729400L
-
Serialized Fields
-
enabled
boolean enabled
Enable user-agent checking and criteria to calculate risky authentication attempts.
-
-
-
Package org.apereo.cas.configuration.model.core.authz
-
Class org.apereo.cas.configuration.model.core.authz.AccessStrategyProperties
class AccessStrategyProperties extends Object implements Serializable- serialVersionUID:
- 2624916460241033347L
-
Serialized Fields
-
groovy
SpringResourceProperties groovy
Groovy script to execute access strategy and authorization logic.
-
-
-
Package org.apereo.cas.configuration.model.core.cache
-
Class org.apereo.cas.configuration.model.core.cache.ExpiringSimpleCacheProperties
class ExpiringSimpleCacheProperties extends SimpleCacheProperties implements Serializable- serialVersionUID:
- -268826011744304210L
-
Serialized Fields
-
duration
String duration
Cache duration specifies the fixed duration for an entry to be automatically removed from the cache after its creation.
-
-
Class org.apereo.cas.configuration.model.core.cache.SimpleCacheProperties
class SimpleCacheProperties extends Object implements Serializable- serialVersionUID:
- -168826011744304210L
-
Serialized Fields
-
cacheSize
long cacheSize
This cache size specifies the maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn't been used recently or very often. Note: to disable the cache, you may choose a cache size of0
. -
initialCapacity
int initialCapacity
This cache capacity sets the minimum total size for the internal data structures. Providing a large enough estimate at construction time avoids the need for expensive resizing operations later, but setting this value unnecessarily high wastes memory.
-
-
-
Package org.apereo.cas.configuration.model.core.config.cloud
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties
class SpringCloudConfigurationProperties extends Object implements Serializable- serialVersionUID:
- -2749293768878152908L
-
Serialized Fields
-
cloud
SpringCloudConfigurationProperties.Cloud cloud
Config config settings.
-
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.AmazonDynamoDb
class AmazonDynamoDb extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- -123404249388429120L
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.AmazonS3
class AmazonS3 extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -124404249387429120L
-
Serialized Fields
-
bucketName
String bucketName
Bucket name that holds the settings.
-
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.AmazonSecretsManager
class AmazonSecretsManager extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -124404249387429120L
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.AmazonSystemsManagerParameterStore
class AmazonSystemsManagerParameterStore extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -224404249387429120L
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.AmazonWebServicesConfiguration
class AmazonWebServicesConfiguration extends Object implements Serializable- serialVersionUID:
- -124404249388429120L
-
Serialized Fields
-
dynamoDb
SpringCloudConfigurationProperties.AmazonDynamoDb dynamoDb
AWS dynamo db settings. -
s3
SpringCloudConfigurationProperties.AmazonS3 s3
AWS S3 settings. -
secretsManager
SpringCloudConfigurationProperties.AmazonSecretsManager secretsManager
AWS secrets manager settings. -
ssm
SpringCloudConfigurationProperties.AmazonSystemsManagerParameterStore ssm
AWS SSM settings.
-
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.Cloud
class Cloud extends Object implements Serializable- serialVersionUID:
- -6326706651416825269L
-
Serialized Fields
-
aws
SpringCloudConfigurationProperties.AmazonWebServicesConfiguration aws
AWS config settings. -
dynamoDb
SpringCloudConfigurationProperties.AmazonDynamoDb dynamoDb
AWS DynamoDb config settings. -
jdbc
SpringCloudConfigurationProperties.Jdbc jdbc
Jdbc config settings. -
mongo
SpringCloudConfigurationProperties.MongoDb mongo
MongoDb config settings. -
rest
SpringCloudConfigurationProperties.Rest rest
REST config settings.
-
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.Jdbc
class Jdbc extends Object implements Serializable- serialVersionUID:
- -7575240387340025345L
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.MongoDb
class MongoDb extends Object implements Serializable- serialVersionUID:
- -6509143371334754469L
-
Serialized Fields
-
uri
String uri
Mongodb URI.
-
-
Class org.apereo.cas.configuration.model.core.config.cloud.SpringCloudConfigurationProperties.Rest
class Rest extends RestEndpointProperties implements Serializable- serialVersionUID:
- -4509143371334754469L
-
-
Package org.apereo.cas.configuration.model.core.config.standalone
-
Class org.apereo.cas.configuration.model.core.config.standalone.StandaloneConfigurationProperties
class StandaloneConfigurationProperties extends Object implements Serializable- serialVersionUID:
- -7749293768878152908L
-
Serialized Fields
-
configurationDirectory
File configurationDirectory
Describes a directory path where CAS configuration may be found. -
configurationFile
File configurationFile
Describes a file path where that contains the CAS properties in a single file. -
configurationSecurity
StandaloneConfigurationSecurityProperties configurationSecurity
Configuration security settings used to encrypt/decrypt values. Settings are typically expected to be provided via command-line properties or system/environment variables as properties are bootstrapped and fetched. They are placed here to allow CAS to recognize their validity when passed.
-
-
Class org.apereo.cas.configuration.model.core.config.standalone.StandaloneConfigurationSecurityProperties
class StandaloneConfigurationSecurityProperties extends Object implements Serializable- serialVersionUID:
- 8571848605614437022L
-
Serialized Fields
-
alg
String alg
Algorithm to use when deciphering settings. Default algorithm isPBEWithMD5AndTripleDES
. -
initializationVector
Boolean initializationVector
An initialization vector is required forPBEWithDigestAndAES
algorithms that aren't BouncyCastle. Enabling an initialization vector will break passwords encrypted without one. Toggling this value will make pre-existing non-PBEWithDigestAndAES
encrypted passwords not work. For non-BouncyCastlePBEWithDigestAndAES
algorithms that require an initialization vector, one will be used regardless of this setting since backwards compatibility with existing passwords using those algorithms is not an issue (since they didn't work in previous CAS versions). The default value is false so as not to break existing encrypted passwords. In general the use of an initialization vector will increase the encrypted text's length. -
iterations
long iterations
Total number of iterations to use when deciphering settings. Default value comes from Jasypt 1000 -
provider
String provider
Security provider to use when deciphering settings. Leave blank for Java,BC
for BouncyCastle. -
psw
String psw
Secret key/password to use when deciphering settings.
-
-
-
Package org.apereo.cas.configuration.model.core.events
-
Class org.apereo.cas.configuration.model.core.events.CoreEventsProperties
class CoreEventsProperties extends Object implements Serializable- serialVersionUID:
- 2734523424737956370L
-
Serialized Fields
-
enabled
boolean enabled
Whether event tracking and recording functionality should be enabled. -
trackConfigurationModifications
boolean trackConfigurationModifications
Whether CAS should track the underlying configuration store for changes. This depends on whether the store provides that sort of functionality. When running in standalone mode, this typically translates to CAS monitoring configuration files and reloading context conditionally if there are any changes. -
trackGeolocation
boolean trackGeolocation
Whether geolocation should be tracked as part of collected authentication events. This of course requires consent from the user's browser to collect stats on location. Turning on this setting would prompt the browser to ask for user's consent to collect geo location directly. If geo location information is not available using this strategy, it may still be extracted and determined based on the client IP address at the time the event is being recorded and captured by CAS.
-
-
Class org.apereo.cas.configuration.model.core.events.DynamoDbEventsProperties
class DynamoDbEventsProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- 612447148774854955L
-
Serialized Fields
-
tableName
String tableName
The table name used and created by CAS to hold events in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.core.events.EventsProperties
class EventsProperties extends Object implements Serializable- serialVersionUID:
- 1734523424737956370L
-
Serialized Fields
-
core
CoreEventsProperties core
Core and common events settings. -
dynamoDb
DynamoDbEventsProperties dynamoDb
Track authentication events inside a DynamoDb instance. -
influxDb
InfluxDbEventsProperties influxDb
Track authentication events inside an influxdb database. -
jpa
JpaEventsProperties jpa
Track authentication events inside a database. -
mongo
MongoDbEventsProperties mongo
Track authentication events inside a mongodb instance. -
redis
RedisEventsProperties redis
Track authentication events inside a Redis instance.
-
-
Class org.apereo.cas.configuration.model.core.events.InfluxDbEventsProperties
class InfluxDbEventsProperties extends InfluxDbProperties implements Serializable- serialVersionUID:
- -3918436901491275547L
-
Class org.apereo.cas.configuration.model.core.events.JpaEventsProperties
class JpaEventsProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 7647381223153797806L
-
Serialized Fields
-
enabled
boolean enabled
Whether capturing events via JPA is enabled.
-
-
Class org.apereo.cas.configuration.model.core.events.MongoDbEventsProperties
class MongoDbEventsProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -1918436901491275547L
-
Class org.apereo.cas.configuration.model.core.events.RedisEventsProperties
class RedisEventsProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- 9027696961101634818L
-
-
Package org.apereo.cas.configuration.model.core.logging
-
Class org.apereo.cas.configuration.model.core.logging.LoggingProperties
class LoggingProperties extends Object implements Serializable- serialVersionUID:
- 7455171260665661949L
-
Serialized Fields
-
mdcEnabled
boolean mdcEnabled
Allow CAS to add http request details into the logging's MDC filter. Mapped Diagnostic Context is essentially a map maintained by the logging framework where the application code provides key-value pairs which can then be inserted by the logging framework in log messages. MDC data can also be highly helpful in filtering messages or triggering certain actions.
-
-
-
Package org.apereo.cas.configuration.model.core.logout
-
Class org.apereo.cas.configuration.model.core.logout.LogoutProperties
class LogoutProperties extends Object implements Serializable- serialVersionUID:
- 7466171260665661949L
-
Serialized Fields
-
confirmLogout
boolean confirmLogout
Before logout, allow the option to confirm on the web interface. -
followServiceRedirects
boolean followServiceRedirects
Whether CAS should be allowed to redirect to an alternative location after logout. -
redirectParameter
List<String> redirectParameter
The target destination to which CAS should redirect after logout is indicated and extracted by a parameter name of your choosing here. If none specified, the default will be used asservice
. -
redirectUrl
String redirectUrl
A url to which CAS must immediately redirect after all logout operations have completed. Typically useful in scenarios where CAS is acting as a proxy and needs to redirect to an external identity provider's logout endpoint in order to remove a session, etc.
-
-
-
Package org.apereo.cas.configuration.model.core.monitor
-
Class org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties
class ActuatorEndpointProperties extends Object implements Serializable- serialVersionUID:
- -2463521198550485506L
-
Serialized Fields
-
access
List<ActuatorEndpointProperties.EndpointAccessLevel> access
Define the security access level of the endpoint. -
requiredAuthorities
List<String> requiredAuthorities
Required user authorities. -
requiredIpAddresses
List<String> requiredIpAddresses
Required IP addresses. CIDR ranges are accepted. -
requiredRoles
List<String> requiredRoles
Required user roles.
-
-
Class org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointsMonitorProperties
class ActuatorEndpointsMonitorProperties extends Object implements Serializable- serialVersionUID:
- -3375777593395683691L
-
Serialized Fields
-
endpoint
Map<String,
ActuatorEndpointProperties> endpoint Options for monitoring sensitive CAS endpoints and resources. Acts as a parent class for all endpoints and settings and exposes shortcuts so security and capability of endpoints can be globally controlled from one spot and then overridden elsewhere. -
formLoginEnabled
boolean formLoginEnabled
Control whether access to endpoints can be controlled via form-based login over the web via a special admin login endpoint. -
jaas
JaasSecurityActuatorEndpointsMonitorProperties jaas
Enable Spring Security's JAAS authentication provider for admin status authorization and access control. -
jdbc
JdbcSecurityActuatorEndpointsMonitorProperties jdbc
Enable Spring Security's JDBC authentication provider for admin status authorization and access control. -
ldap
LdapSecurityActuatorEndpointsMonitorProperties ldap
Enable Spring Security's LDAP authentication provider for admin status authorization and access control.
-
-
Class org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties
class JaasSecurityActuatorEndpointsMonitorProperties extends Object implements Serializable- serialVersionUID:
- -3024678577827371641L
-
Serialized Fields
-
loginContextName
String loginContextName
The login context name should coincide with a given index in the login config specified. This name is used as the index to the configuration specified in the login config property.<pre> JAASTest { org.springframework.security.authentication.jaas.TestLoginModule required; }; </pre> In the above example,
JAASTest
should be set as the context name. -
refreshConfigurationOnStartup
boolean refreshConfigurationOnStartup
If set, a call toConfiguration#refresh()
will be made by#configureJaas(Resource)
method.
-
-
Class org.apereo.cas.configuration.model.core.monitor.JdbcMonitorProperties
class JdbcMonitorProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -7139788158851782673L
-
Class org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties
class JdbcSecurityActuatorEndpointsMonitorProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 2625666117528467867L
-
Serialized Fields
-
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder properties. -
query
String query
Query to execute in order to authenticate users via JDBC. Example:SELECT username,password,enabled FROM users WHERE username=?
-
rolePrefix
String rolePrefix
Prefix to add to the role.
-
-
Class org.apereo.cas.configuration.model.core.monitor.LdapMonitorProperties
class LdapMonitorProperties extends AbstractLdapProperties implements Serializable- serialVersionUID:
- 4722929378440179113L
-
Serialized Fields
-
enabled
boolean enabled
Whether LDAP monitoring should be enabled. -
maxWait
String maxWait
When monitoring the LDAP connection pool, indicates the amount of time the operation must wait before it times outs and considers the pool in bad shape. -
pool
ConnectionPoolingProperties pool
Options that define the thread pool that will ping on the ldap pool.
-
-
Class org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties
class LdapSecurityActuatorEndpointsMonitorProperties extends AbstractLdapAuthenticationProperties implements Serializable- serialVersionUID:
- -7333244539096172557L
-
Serialized Fields
-
ldapAuthz
LdapAuthorizationProperties ldapAuthz
Control authorization settings via LDAP after ldap authentication.
-
-
Class org.apereo.cas.configuration.model.core.monitor.MemcachedMonitorProperties
class MemcachedMonitorProperties extends BaseMemcachedProperties implements Serializable- serialVersionUID:
- -9139788158851782673L
-
Class org.apereo.cas.configuration.model.core.monitor.MemoryMonitorProperties
class MemoryMonitorProperties extends Object implements Serializable- serialVersionUID:
- -7147060071480971606L
-
Serialized Fields
-
freeMemThreshold
double freeMemThreshold
The free memory threshold for the memory monitor. If the amount of free memory available reaches this point the memory monitor will report back a warning status as a health check.
-
-
Class org.apereo.cas.configuration.model.core.monitor.MongoDbMonitorProperties
class MongoDbMonitorProperties extends BaseMongoDbProperties implements Serializable- serialVersionUID:
- -1918436901491275547L
-
Class org.apereo.cas.configuration.model.core.monitor.MonitorProperties
class MonitorProperties extends Object implements Serializable- serialVersionUID:
- -7047060071480971606L
-
Serialized Fields
-
endpoints
ActuatorEndpointsMonitorProperties endpoints
Properties relevant to endpoint security, etc. -
jdbc
JdbcMonitorProperties jdbc
Options for monitoring JDBC resources. -
ldap
List<LdapMonitorProperties> ldap
Options for monitoring LDAP resources. -
load
ServerLoadMonitorProperties load
Options for monitoring the Load on a production server. Load averages are "system load averages" that show the running thread (task) demand on the system as an average number of running plus waiting threads. This measures demand, which can be greater than what the system is currently processing. -
memcached
MemcachedMonitorProperties memcached
Options for monitoring Memcached resources. -
memory
MemoryMonitorProperties memory
Options to monitor memory availability. -
mongo
List<MongoDbMonitorProperties> mongo
Options for monitoring MongoDb resources. -
st
ServiceTicketMonitorProperties st
Options for monitoring the status a nd production of STs. -
tgt
TicketGrantingTicketMonitorProperties tgt
Options for monitoring the status and production of TGTs. -
warn
MonitorWarningProperties warn
Warning options that generally deal with cache-based resources, etc.
-
-
Class org.apereo.cas.configuration.model.core.monitor.MonitorWarningProperties
class MonitorWarningProperties extends Object implements Serializable- serialVersionUID:
- 2788617778375787703L
-
Serialized Fields
-
evictionThreshold
long evictionThreshold
The monitor eviction threshold where if reached, CAS might generate a warning status for health checks. The underlying data source and monitor (i.e. cache) must support the concept of evictions. -
threshold
int threshold
The monitor threshold where if reached, CAS might generate a warning status for health checks.
-
-
Class org.apereo.cas.configuration.model.core.monitor.ServerLoadMonitorProperties
class ServerLoadMonitorProperties extends Object implements Serializable- serialVersionUID:
- 5504478373010611957L
-
Serialized Fields
-
warn
MonitorWarningProperties warn
Warning settings for this monitor.
-
-
Class org.apereo.cas.configuration.model.core.monitor.ServiceTicketMonitorProperties
class ServiceTicketMonitorProperties extends Object implements Serializable- serialVersionUID:
- -8167395674267219982L
-
Serialized Fields
-
warn
MonitorWarningProperties warn
Warning settings for this monitor.
-
-
Class org.apereo.cas.configuration.model.core.monitor.TicketGrantingTicketMonitorProperties
class TicketGrantingTicketMonitorProperties extends Object implements Serializable- serialVersionUID:
- -2756454350350278724L
-
Serialized Fields
-
warn
MonitorWarningProperties warn
Warning options for monitoring TGT production.
-
-
-
Package org.apereo.cas.configuration.model.core.rest
-
Class org.apereo.cas.configuration.model.core.rest.RestProperties
class RestProperties extends Object implements Serializable- serialVersionUID:
- -1833107478273171342L
-
Serialized Fields
-
services
RestRegisteredServicesProperties services
Settings related to the REST APIs dealing with registered services. -
x509
RestX509Properties x509
X509 settings related to the rest protocol and authentication.
-
-
Class org.apereo.cas.configuration.model.core.rest.RestRegisteredServicesProperties
class RestRegisteredServicesProperties extends Object implements Serializable- serialVersionUID:
- -1822107478273171342L
-
Serialized Fields
-
attributeName
String attributeName
Authorization attribute name required by the REST endpoint in order to allow for the requested operation. Attribute must be resolvable by the authenticated principal, or must have been already. -
attributeValue
String attributeValue
Matching authorization attribute value, pulled from the attribute required by the REST endpoint in order to allow for the requested operation. The attribute value may also be constructed as a regex pattern.
-
-
Class org.apereo.cas.configuration.model.core.rest.RestX509Properties
class RestX509Properties extends Object implements Serializable- serialVersionUID:
- -1833117478273171342L
-
Serialized Fields
-
bodyAuth
boolean bodyAuth
Flag that enablesX509Certificate
extraction from the request body for authentication. -
headerAuth
boolean headerAuth
Flag that enablesX509Certificate
extraction from the request headers for authentication. -
tlsClientAuth
boolean tlsClientAuth
Flag that enables TLS clientX509Certificate
extraction from the servlet container for authentication.
-
-
-
Package org.apereo.cas.configuration.model.core.services
-
Class org.apereo.cas.configuration.model.core.services.RestfulServiceRegistryProperties
class RestfulServiceRegistryProperties extends BaseRestEndpointProperties implements Serializable- serialVersionUID:
- 7086088180957285517L
-
Class org.apereo.cas.configuration.model.core.services.ServiceRegistryCoreProperties
class ServiceRegistryCoreProperties extends Object implements Serializable- serialVersionUID:
- -268826011744304210L
-
Serialized Fields
-
initDefaultServices
boolean initDefaultServices
Flag that indicates whether service definitions that ship with CAS by default should be included in the initialization process and imported into CAS service registry. Default service files that ship with CAS are found on the classpath inside the "services" directory. -
initFromJson
boolean initFromJson
Flag that indicates whether to initialise active service registry implementation with a set of service definitions included with CAS by default in JSON format. The initialization generally tends to find JSON service definitions fromSpringResourceProperties.getLocation()
.In cases where the location points to an embedded directory or resource inside a JAR/ZIP file, such as those that might have been packaged with the CAS application as part of the build and assembly process, embedded services are first exported out into a temporary directory and then read as file-system resources. In such scenarios, you may want to turn off the watcher via
JsonServiceRegistryProperties.isWatcherEnabled()
.If the default location offered by CAS, "services", is used, CAS would attempt to locate JSON service files by forming the following pattern for each active spring application profile:
classpath*:/"services"/profile-id/*.json
You may also control whether default services should be included and initialized via
ServiceRegistryCoreProperties.isInitDefaultServices()
. -
managementType
ServiceRegistryCoreProperties.ServiceManagementTypes managementType
Determine how services are internally managed, queried, cached and reloaded by CAS.
-
-
Class org.apereo.cas.configuration.model.core.services.ServiceRegistryProperties
class ServiceRegistryProperties extends Object implements Serializable- serialVersionUID:
- -368826011744304210L
-
Serialized Fields
-
amazonS3
AmazonS3ServiceRegistryProperties amazonS3
Properties pertaining to amazon s3 service registry. -
cache
ExpiringSimpleCacheProperties cache
Registry caching settings. -
cassandra
CassandraServiceRegistryProperties cassandra
Properties pertaining to Apache Cassandra service registry. -
core
ServiceRegistryCoreProperties core
Registry core/common settings. -
cosmosDb
CosmosDbServiceRegistryProperties cosmosDb
Properties pertaining to Cosmos DB service registry. -
dynamoDb
DynamoDbServiceRegistryProperties dynamoDb
Properties pertaining to dynamo db service registry. -
git
GitServiceRegistryProperties git
Properties pertaining to Git-based service registry. -
googleCloudFirestore
GoogleCloudFirestoreServiceRegistryProperties googleCloudFirestore
Properties pertaining to GCP firestore service registry. -
jpa
JpaServiceRegistryProperties jpa
Properties pertaining to jpa service registry. -
json
JsonServiceRegistryProperties json
Properties pertaining to JSON service registry. -
ldap
LdapServiceRegistryProperties ldap
Properties pertaining to ldap service registry. -
mail
EmailProperties mail
Email settings for notifications. -
mongo
MongoDbServiceRegistryProperties mongo
Properties pertaining to mongo db service registry. -
redis
RedisServiceRegistryProperties redis
Properties pertaining to redis service registry. -
rest
RestfulServiceRegistryProperties rest
Properties pertaining to REST service registry. -
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often is metadata reloaded. -
sms
SmsProperties sms
SMS settings for notifications. -
stream
StreamingServiceRegistryProperties stream
Properties pertaining to streaming service registry content over the wire. -
templates
ServiceRegistryTemplatesProperties templates
Registry templated services settings. -
yaml
YamlServiceRegistryProperties yaml
Properties pertaining to YAML service registry.
-
-
-
Package org.apereo.cas.configuration.model.core.slo
-
Class org.apereo.cas.configuration.model.core.slo.SingleLogoutProperties
class SingleLogoutProperties extends Object implements Serializable- serialVersionUID:
- 3676710533477055700L
-
Serialized Fields
-
asynchronous
boolean asynchronous
Whether SLO callbacks should be done in an asynchronous manner via the HTTP client. When true, CAS will not wait for the operation to fully complete and will resume control to carry on. -
disabled
boolean disabled
Whether SLO should be entirely disabled globally for the CAS deployment. -
logoutPropagationType
SingleLogoutProperties.LogoutPropagationTypes logoutPropagationType
Logout propagation type determines how SLO requests will be sent to applications. This is specially applicable when SLO requests are processed using a front-channel mechanism.
-
-
-
Package org.apereo.cas.configuration.model.core.sso
-
Class org.apereo.cas.configuration.model.core.sso.SingleSignOnProperties
class SingleSignOnProperties extends Object implements Serializable- serialVersionUID:
- -8777647966370741733L
-
Serialized Fields
-
createSsoCookieOnRenewAuthn
boolean createSsoCookieOnRenewAuthn
Flag that indicates whether to create SSO session on re-newed authentication event. -
proxyAuthnEnabled
boolean proxyAuthnEnabled
Indicates whether CAS proxy authentication/tickets are supported by this server implementation. -
renewAuthnEnabled
boolean renewAuthnEnabled
Indicates whether this server implementation should globally support CAS protocol authentication requests that are tagged with "renew=true". -
services
SingleSignOnServicesProperties services
SSO behavior and settings, defined globally, that affects application treatment. -
ssoEnabled
boolean ssoEnabled
Indicate whether single sign-on should be turned on and supported globally for the server.
-
-
Class org.apereo.cas.configuration.model.core.sso.SingleSignOnServicesProperties
class SingleSignOnServicesProperties extends Object implements Serializable- serialVersionUID:
- -1654647966370731722L
-
Serialized Fields
-
allowMissingServiceParameter
boolean allowMissingServiceParameter
Flag that indicates whether to allow SSO session with a missing target service.By default, CAS will present a generic success page if the initial authentication request does not identify the target application. In some cases, the ability to login to CAS without logging in to a particular service may be considered a misfeature because in practice, too few users and institutions are prepared to understand, brand, and support what is at best a fringe use case of logging in to CAS for the sake of establishing an SSO session without logging in to any CAS-reliant service.
-
requiredServicePattern
String requiredServicePattern
A regular expression pattern that represents an application which must have established a session with CAS already before access to other applications can be allowed by CAS. This is the initial mandatory/required application with which the user must start before going anywhere else. Services that establish a session with CAS typically do so by receiving a service ticket from CAS.
-
-
-
Package org.apereo.cas.configuration.model.core.templates
-
Class org.apereo.cas.configuration.model.core.templates.ServiceRegistryTemplatesProperties
class ServiceRegistryTemplatesProperties extends Object implements Serializable- serialVersionUID:
- -168826011744304210L
-
Serialized Fields
-
directory
SpringResourceProperties directory
The directory location that holds the template service definitions.
-
-
-
Package org.apereo.cas.configuration.model.core.ticket
-
Class org.apereo.cas.configuration.model.core.ticket.HardTimeoutTicketExpirationPolicyProperties
class HardTimeoutTicketExpirationPolicyProperties extends Object implements Serializable- serialVersionUID:
- 4160963910346416908L
-
Serialized Fields
-
timeToKillInSeconds
String timeToKillInSeconds
Timeout in seconds to kill the session and consider tickets expired.
-
-
Class org.apereo.cas.configuration.model.core.ticket.PrimaryTicketExpirationPolicyProperties
class PrimaryTicketExpirationPolicyProperties extends Object implements Serializable- serialVersionUID:
- 3345179252583399336L
-
Class org.apereo.cas.configuration.model.core.ticket.ProxyGrantingTicketProperties
class ProxyGrantingTicketProperties extends Object implements Serializable- serialVersionUID:
- 8478961497316814687L
-
Serialized Fields
-
maxLength
long maxLength
Maximum length of the proxy granting ticket, when generating one.
-
-
Class org.apereo.cas.configuration.model.core.ticket.ProxyTicketProperties
class ProxyTicketProperties extends Object implements Serializable- serialVersionUID:
- -3690545027059561010L
-
Serialized Fields
-
numberOfUses
long numberOfUses
Number of uses allowed. -
timeToKillInSeconds
long timeToKillInSeconds
Number of seconds after which this ticket becomes invalid.
-
-
Class org.apereo.cas.configuration.model.core.ticket.RememberMeAuthenticationProperties
class RememberMeAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 1899959269597512610L
-
Serialized Fields
-
enabled
boolean enabled
Flag to indicate whether remember-me facility is enabled. -
supportedIpAddresses
String supportedIpAddresses
Regular expression that, when defined, forces CAS to create a remember-me authentication session if the current client ip (remote) address matches this pattern. If a match is not found, remember-me is ignored. If left undefined, remember-me authentication will proceed with the default CAS behavior. -
supportedUserAgents
String supportedUserAgents
Regular expression that, when defined, forces CAS to create a remember-me authentication session if the current user-agent matches this pattern. If a match is not found, remember-me is ignored. If left undefined, remember-me authentication will proceed with the default CAS behavior. -
timeToKillInSeconds
String timeToKillInSeconds
Time in seconds after which remember-me enabled SSO session will be destroyed.
-
-
Class org.apereo.cas.configuration.model.core.ticket.ServiceTicketProperties
class ServiceTicketProperties extends Object implements Serializable- serialVersionUID:
- -7445209580598499921L
-
Serialized Fields
-
maxLength
int maxLength
Maximum length of generated service tickets. -
numberOfUses
long numberOfUses
Controls number of times a service ticket can be used within CAS server. Usage in CAS context means service ticket validation transaction. -
timeToKillInSeconds
String timeToKillInSeconds
Time in seconds that service tickets should be considered live in CAS server.
-
-
Class org.apereo.cas.configuration.model.core.ticket.ThrottledTimeoutTicketExpirationPolicyProperties
class ThrottledTimeoutTicketExpirationPolicyProperties extends Object implements Serializable- serialVersionUID:
- -2370751379747804646L
-
Class org.apereo.cas.configuration.model.core.ticket.TicketGrantingTicketCoreProperties
class TicketGrantingTicketCoreProperties extends Object implements Serializable- serialVersionUID:
- 2349179252583399336L
-
Serialized Fields
-
maxLength
int maxLength
Maximum length of tickets. -
onlyTrackMostRecentSession
boolean onlyTrackMostRecentSession
Flag to control whether to track most recent SSO sessions. As multiple tickets may be issued for the same application, this impacts how session information is tracked for every ticket which then has a subsequent impact on logout.
-
-
Class org.apereo.cas.configuration.model.core.ticket.TicketGrantingTicketProperties
class TicketGrantingTicketProperties extends Object implements Serializable- serialVersionUID:
- 2349079252583399336L
-
Serialized Fields
-
core
TicketGrantingTicketCoreProperties core
Core/common settings. -
hardTimeout
HardTimeoutTicketExpirationPolicyProperties hardTimeout
Hard timeout for tickets. -
primary
PrimaryTicketExpirationPolicyProperties primary
Primary/default expiration policy settings. -
rememberMe
RememberMeAuthenticationProperties rememberMe
Remember me for tickets. -
throttledTimeout
ThrottledTimeoutTicketExpirationPolicyProperties throttledTimeout
Throttled timeout for tickets. -
timeout
TimeoutTicketExpirationPolicyProperties timeout
Timeout for tickets.
-
-
Class org.apereo.cas.configuration.model.core.ticket.TimeoutTicketExpirationPolicyProperties
class TimeoutTicketExpirationPolicyProperties extends Object implements Serializable- serialVersionUID:
- 8635419913795245907L
-
Serialized Fields
-
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Maximum time in seconds. for TGTs to be live in CAS server.
-
-
Class org.apereo.cas.configuration.model.core.ticket.TransientSessionTicketProperties
class TransientSessionTicketProperties extends Object implements Serializable- serialVersionUID:
- -3690545027059561010L
-
Serialized Fields
-
numberOfUses
long numberOfUses
Controls number of times a ticket can be used within CAS server. -
timeToKillInSeconds
long timeToKillInSeconds
Number of seconds after which this ticket becomes invalid.
-
-
-
Package org.apereo.cas.configuration.model.core.ticket.registry
-
Class org.apereo.cas.configuration.model.core.ticket.registry.InMemoryTicketRegistryProperties
class InMemoryTicketRegistryProperties extends Object implements Serializable- serialVersionUID:
- -2600525447128979994L
-
Serialized Fields
-
concurrency
int concurrency
The estimated number of concurrently updating threads. The implementation performs internal sizing to try to accommodate this many threads. -
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
initialCapacity
int initialCapacity
The initial capacity of the underlying memory store. The implementation performs internal sizing to accommodate this many elements. -
loadFactor
int loadFactor
The load factor threshold, used to control resizing. Resizing may be performed when the average number of elements per bin exceeds this threshold.
-
-
Class org.apereo.cas.configuration.model.core.ticket.registry.StatelessTicketRegistryProperties
class StatelessTicketRegistryProperties extends Object implements Serializable- serialVersionUID:
- -2600525447128979994L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
storageType
String storageType
Control how data produced by the registry would be managed and stored by the browser storage.
Browser storage is a web storage technology that allows CAS to store and retrieve data on a user's device. It provides a way to persistently store key-value pairs in a web browser. Unlike cookies, browser storage has a larger storage capacity (usually 5-10 MB per domain), and the data is not sent to the server with every HTTP request, which can improve performance. Browser storage is scoped to a particular CAS domain. Each CAS domain has its own separate storage, and one website cannot access the storage of another domain due to the same-origin policy.
The following options are valid:LOCAL
: Data stored in local storage persists even when the user closes the browser or navigates away from the page. It remains available until explicitly cleared by the user or the web application.SESSION
: Data stored in session storage is only available for the duration of the page session. It gets cleared when the user closes the browser or tab. If a user opens a new tab or window and navigates to the same page, a new session storage instance is created.
-
-
Class org.apereo.cas.configuration.model.core.ticket.registry.TicketRegistryCoreProperties
class TicketRegistryCoreProperties extends Object implements Serializable- serialVersionUID:
- -6927362599655259000L
-
Serialized Fields
-
enableLocking
boolean enableLocking
When set to true, registry operations will begin to support distributed locking for ticket operations. If the registry itself supports distributed locking, such as JDBC or Redis, then the lock implementation will defer to that option. Otherwise the default locking solution will be specific to a CAS server node, until replaced with a lock implementation or different locking option separate from the registry technology itself. -
queueIdentifier
String queueIdentifier
Identifier for this CAS server node that tags the sender/receiver in the queue and avoid processing of inbound calls. If left blank, an identifier is generated automatically and kept in memory.
-
-
Class org.apereo.cas.configuration.model.core.ticket.registry.TicketRegistryProperties
class TicketRegistryProperties extends Object implements Serializable- serialVersionUID:
- -4735458476452635679L
-
Serialized Fields
-
cassandra
CassandraTicketRegistryProperties cassandra
Cassandra registry settings. -
cleaner
ScheduledJobProperties cleaner
Ticket registry cleaner settings. -
core
TicketRegistryCoreProperties core
Ticket registry core settings. -
cosmosDb
CosmosDbTicketRegistryProperties cosmosDb
CosmosDb registry settings. -
dynamoDb
DynamoDbTicketRegistryProperties dynamoDb
DynamoDb registry settings. -
googleCloudFirestore
GoogleCloudFirestoreTicketRegistryProperties googleCloudFirestore
GoogleCloud Firestore registry settings. -
hazelcast
HazelcastTicketRegistryProperties hazelcast
Hazelcast registry settings. -
ignite
IgniteProperties ignite
Apache Ignite registry settings. -
inMemory
InMemoryTicketRegistryProperties inMemory
Settings relevant for the default in-memory ticket registry. -
jpa
JpaTicketRegistryProperties jpa
JPA registry settings. -
memcached
MemcachedTicketRegistryProperties memcached
Deprecated.Since 6.2Memcached registry settings. -
mongo
MongoDbTicketRegistryProperties mongo
MongoDb registry settings. -
redis
RedisTicketRegistryProperties redis
Redis registry settings. -
stateless
StatelessTicketRegistryProperties stateless
Settings relevant for the default stateless ticket registry.
-
-
-
Package org.apereo.cas.configuration.model.core.util
-
Class org.apereo.cas.configuration.model.core.util.ClientCertificateProperties
class ClientCertificateProperties extends Object implements Serializable- serialVersionUID:
- -8004292720523993292L
-
Serialized Fields
-
certificate
SpringResourceProperties certificate
The location of the client certificate (PKCS12 format). -
passphrase
String passphrase
The passphrase of the client certificate.
-
-
Class org.apereo.cas.configuration.model.core.util.EncryptionJwtCryptoProperties
class EncryptionJwtCryptoProperties extends Object implements Serializable- serialVersionUID:
- 616825635591169628L
-
Serialized Fields
-
key
String key
The encryption key is a JWT whose length is defined by the encryption key size setting. -
keySize
int keySize
The encryption key size.
-
-
Class org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties
class EncryptionJwtSigningJwtCryptographyProperties extends Object implements Serializable- serialVersionUID:
- -3015641631298039059L
-
Serialized Fields
-
alg
String alg
The signing/encryption algorithm to use. -
enabled
boolean enabled
Whether crypto operations are enabled. -
encryption
EncryptionJwtCryptoProperties encryption
Settings that deal with encryption of values. -
signing
SigningJwtCryptoProperties signing
Settings that deal with signing of values. -
strategyType
String strategyType
Control the cipher sequence of operations. The accepted values are:ENCRYPT_AND_SIGN
: Encrypt the value first, and then sign.SIGN_AND_ENCRYPT
: Sign the value first, and then encrypt.
-
-
Class org.apereo.cas.configuration.model.core.util.EncryptionOptionalSigningOptionalJwkCryptographyProperties
class EncryptionOptionalSigningOptionalJwkCryptographyProperties extends Object implements Serializable- serialVersionUID:
- 7285404480671258520L
-
Serialized Fields
-
enabled
boolean enabled
Whether crypto operations are enabled. -
encryptionEnabled
boolean encryptionEnabled
Whether crypto encryption operations are enabled. -
signingEnabled
boolean signingEnabled
Whether crypto signing operations are enabled. -
strategyType
String strategyType
Control the cipher sequence of operations. The accepted values are:ENCRYPT_AND_SIGN
: Encrypt the value first, and then sign.SIGN_AND_ENCRYPT
: Sign the value first, and then encrypt.
-
-
Class org.apereo.cas.configuration.model.core.util.EncryptionOptionalSigningOptionalJwtCryptographyProperties
class EncryptionOptionalSigningOptionalJwtCryptographyProperties extends EncryptionJwtSigningJwtCryptographyProperties implements Serializable- serialVersionUID:
- 7185404480671258520L
-
Serialized Fields
-
encryptionEnabled
boolean encryptionEnabled
Whether crypto encryption operations are enabled. -
signingEnabled
boolean signingEnabled
Whether crypto signing operations are enabled.
-
-
Class org.apereo.cas.configuration.model.core.util.EncryptionRandomizedCryptoProperties
class EncryptionRandomizedCryptoProperties extends Object implements Serializable- serialVersionUID:
- -6945916782426505112L
-
Serialized Fields
-
key
String key
The encryption key. The encryption key by default and unless specified otherwise must be randomly-generated string whose length is defined by the encryption key size setting. -
keySize
int keySize
Encryption key size.
-
-
Class org.apereo.cas.configuration.model.core.util.EncryptionRandomizedSigningJwtCryptographyProperties
class EncryptionRandomizedSigningJwtCryptographyProperties extends Object implements Serializable- serialVersionUID:
- -6802876221525521736L
-
Serialized Fields
-
alg
String alg
The signing/encryption algorithm to use. -
enabled
boolean enabled
Whether crypto operations are enabled. -
encryption
EncryptionRandomizedCryptoProperties encryption
Settings that deal with encryption of values. -
signing
SigningJwtCryptoProperties signing
Settings that deal with signing of values. -
signingEnabled
boolean signingEnabled
Whether signing encryption operations are enabled.
-
-
Class org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties
class SigningJwtCryptoProperties extends Object implements Serializable- serialVersionUID:
- -552544781333015532L
-
Serialized Fields
-
key
String key
The signing key is a JWT whose length is defined by the signing key size setting. -
keySize
int keySize
The signing key size.
-
-
Class org.apereo.cas.configuration.model.core.util.TicketProperties
class TicketProperties extends Object implements Serializable- serialVersionUID:
- 5586947805593202037L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Properties and settings related to ticket encryption. -
pgt
ProxyGrantingTicketProperties pgt
Properties and settings related to proxy-granting tickets. -
pt
ProxyTicketProperties pt
Properties and settings related to proxy tickets. -
registry
TicketRegistryProperties registry
Properties and settings related to ticket registry. -
st
ServiceTicketProperties st
Properties and settings related to service tickets. -
tgt
TicketGrantingTicketProperties tgt
Properties and settings related to ticket-granting tickets. -
trackDescendantTickets
boolean trackDescendantTickets
Indicates whether tickets issued and linked to a ticket-granting ticket may also be tracked, and then removed as part of logout ops. There are a number of tickets issued by CAS whose expiration policy is usually by default bound to the SSO expiration policy and the active TGT, yet such tickets may be allowed to live beyond the normal lifetime of a CAS SSO session with options to be renewed. Examples include OAuth access tokens, etc. Set this option to true if you want all linked tickets to be tracked and then removed. -
tst
TransientSessionTicketProperties tst
Properties and settings related to session-transient tickets.
-
-
-
Package org.apereo.cas.configuration.model.core.web
-
Class org.apereo.cas.configuration.model.core.web.LocaleCookieProperties
class LocaleCookieProperties extends CookieProperties implements Serializable- serialVersionUID:
- 158577966798914031L
-
Class org.apereo.cas.configuration.model.core.web.LocaleProperties
class LocaleProperties extends Object implements Serializable- serialVersionUID:
- -1644471820900213781L
-
Serialized Fields
-
cookie
LocaleCookieProperties cookie
Control the properties of the cookie created to hold language changes. -
defaultValue
String defaultValue
Default locale. -
forceDefaultLocale
boolean forceDefaultLocale
When set to true, locale resolution via request parameters and such is ignored and the locale default value is always enforced. -
paramName
String paramName
Parameter name to use when switching locales.
-
-
Class org.apereo.cas.configuration.model.core.web.MessageBundleProperties
class MessageBundleProperties extends Object implements Serializable- serialVersionUID:
- 3769733438559663237L
-
Serialized Fields
-
baseNames
List<String> baseNames
A list of strings representing base names for this message bundle. Set an array of basenames, each following the basic ResourceBundle convention of not specifying file extension or language codes. The resource location format is up to the specific MessageSource implementation. Regular and XMl properties files are supported: e.g. "messages" will find a "messages.properties", "messages_en.properties" etc arrangement as well as "messages.xml", "messages_en.xml" etc. The associated resource bundles will be checked sequentially when resolving a message code. Note that message definitions in a previous resource bundle will override ones in a later bundle, due to the sequential lookup. -
cacheSeconds
String cacheSeconds
Cache size. -
commonNames
List<String> commonNames
A list of strings representing common names for this message bundle. Specify locale-independent common messages, with the message code as key and the full message String (may contain argument placeholders) as value.Entries in last common names override first values (as opposed to baseNames used in message bundles).
-
encoding
String encoding
Message bundle character encoding. -
fallbackSystemLocale
boolean fallbackSystemLocale
Flag that controls whether to fallback to the default system locale if no locale is specified explicitly. Set whether to fall back to the system Locale if no files for a specific Locale have been found. If this is turned off, the only fallback will be the default file (e.g. "messages.properties" for basename "messages"). Falling back to the system Locale is the default behavior ofResourceBundle
. However, this is often not desirable in an application server environment, where the system Locale is not relevant to the application at all: set this flag tofalse
in such a scenario. -
useCodeMessage
boolean useCodeMessage
Flag that controls whether to use code message. Set whether to use the message code as default message instead of throwing aNoSuchMessageException
. Useful for development and debugging. Note: In case of aMessageSourceResolvable
with multiple codes (like a FieldError) and a MessageSource that has a parent MessageSource, do not activate "useCodeAsDefaultMessage" in the parent: Else, you'll get the first code returned as message by the parent, without attempts to check further codes.
-
-
-
Package org.apereo.cas.configuration.model.core.web.flow
-
Class org.apereo.cas.configuration.model.core.web.flow.GroovyWebflowLoginDecoratorProperties
class GroovyWebflowLoginDecoratorProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.core.web.flow.GroovyWebflowProperties
class GroovyWebflowProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Serialized Fields
-
actions
Map<String,
String> actions This setting allows one to provide an alternative implementation to Spring Webflow's actions as implemented in Groovy. See CAS documentation on the outline of the script as well as any inputs and outputs expected. This setting is defined as map, where the key is expected to be the name/identifier of the bean that supplies the Spring Webflow action and the value is a resource path to the Groovy script (i.e.file:/path/to/Script.groovy
) that shall be executed when the action is called upon by CAS and the Spring Webflow execution runtime. You will need to examine the CAS codebase to locate the proper bean identifier for the action in question. Note that Groovy scripts entirely supplant the CAS implementation for Spring Webflow actions and must be designed carefully and in compliance with the rest of the webflow orchestration.
-
-
Class org.apereo.cas.configuration.model.core.web.flow.RestfulWebflowLoginDecoratorProperties
class RestfulWebflowLoginDecoratorProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
Class org.apereo.cas.configuration.model.core.web.flow.WebflowAutoConfigurationProperties
class WebflowAutoConfigurationProperties extends Object implements Serializable- serialVersionUID:
- 2441628331918226505L
-
Serialized Fields
-
enabled
boolean enabled
Whether webflow auto-configuration should be enabled. -
order
int order
The order in which the webflow is configured.
-
-
Class org.apereo.cas.configuration.model.core.web.flow.WebflowLoginDecoratorProperties
class WebflowLoginDecoratorProperties extends Object implements Serializable- serialVersionUID:
- 2949978905279568311L
-
Serialized Fields
-
groovy
GroovyWebflowLoginDecoratorProperties groovy
Path to groovy resource that can decorate the login views and states. -
rest
RestfulWebflowLoginDecoratorProperties rest
Path to REST API resource that can decorate the login views and states.
-
-
Class org.apereo.cas.configuration.model.core.web.flow.WebflowProperties
class WebflowProperties extends Object implements Serializable- serialVersionUID:
- 4949978905279568311L
-
Serialized Fields
-
autoConfiguration
WebflowAutoConfigurationProperties autoConfiguration
Webflow auto configuration settings. -
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Encryption/signing setting for webflow. -
groovy
GroovyWebflowProperties groovy
Path to groovy resource that may auto-configure the webflow context dynamically creating/removing states and actions. -
loginDecorator
WebflowLoginDecoratorProperties loginDecorator
Configuration settings relevant for login flow and view decoration. -
session
WebflowSessionManagementProperties session
Webflow session management settings.
-
-
Class org.apereo.cas.configuration.model.core.web.flow.WebflowServerSessionsProperties
class WebflowServerSessionsProperties extends Object implements Serializable- serialVersionUID:
- 6479028707118198914L
-
Serialized Fields
-
compress
boolean compress
Whether or not the snapshots should be compressed. Only relevant if session storage is done on the server. -
hazelcast
BaseHazelcastProperties hazelcast
If sessions are to be replicated via Hazelcast, controls and defines how state should be replicated. Only relevant if session storage is done on the server. -
lockTimeout
String lockTimeout
Sets the time period that can elapse before a timeout occurs on an attempt to acquire a conversation lock. The default is 30 seconds. Only relevant if session storage is done on the server. -
maxConversations
int maxConversations
Using the maxConversations property, you can limit the number of concurrently active conversations allowed in a single session. If the maximum is exceeded, the conversation manager will automatically end the oldest conversation. The default is 5, which should be fine for most situations. Set it to -1 for no limit. Setting maxConversations to 1 allows easy resource cleanup in situations where there should only be one active conversation per session. Only relevant if session storage is done on the server.
-
-
Class org.apereo.cas.configuration.model.core.web.flow.WebflowSessionManagementProperties
class WebflowSessionManagementProperties extends Object implements Serializable- serialVersionUID:
- 7479028707118198914L
-
Serialized Fields
-
server
WebflowServerSessionsProperties server
Control server-side session storage. -
storage
boolean storage
Controls whether spring webflow sessions are to be stored server-side or client side. By default state is managed on the client side, that is also signed and encrypted.
-
-
-
Package org.apereo.cas.configuration.model.core.web.security
-
Class org.apereo.cas.configuration.model.core.web.security.HttpCorsRequestProperties
class HttpCorsRequestProperties extends Object implements Serializable- serialVersionUID:
- 5938828345939769185L
-
Serialized Fields
-
allowCredentials
boolean allowCredentials
The Access-Control-Allow-Credentials header Indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content. -
allowHeaders
List<String> allowHeaders
The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Default is everything. -
allowMethods
List<String> allowMethods
The Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. This is used in response to a pre-flight request. The conditions under which a request is pre-flighted are discussed above. Default is everything. -
allowOriginPatterns
List<String> allowOriginPatterns
Comma-separated list of origin patterns to allow. Unlike allowed origins which only supports*
, origin patterns are more flexible (for examplehttps://*.example.com
) and can be used when credentials are allowed. When no allowed origin patterns or allowed origins are set, CORS support is disabled. -
allowOrigins
List<String> allowOrigins
The Origin header indicates the origin of the cross-site access request or preflight request. The origin is a URI indicating the server from which the request initiated. When credentials are allowed, '*' cannot be used and origin patterns should be configured instead. It does not include any path information, but only the server name. -
enabled
boolean enabled
Whether CORS should be enabled for http requests. -
exposedHeaders
List<String> exposedHeaders
The Access-Control-Expose-Headers header lets a server accept headers that browsers are allowed to access. -
maxAge
long maxAge
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached.
-
-
Class org.apereo.cas.configuration.model.core.web.security.HttpHeadersRequestProperties
class HttpHeadersRequestProperties extends Object implements Serializable- serialVersionUID:
- 5993704062519851359L
-
Serialized Fields
-
cache
boolean cache
When true, will inject the following headers into the response for non-static resources. <pre> Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 </pre> -
cacheControlStaticResources
String cacheControlStaticResources
Files with these extensions are considered static, so they will be cached by browsers. The value is part of a RegEx. -
contentSecurityPolicy
String contentSecurityPolicy
Helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header. Header value is made up of one or more directives. Multiple directives are separated with a semicolon. -
enabled
boolean enabled
Allow CAS to inject and enforce http security headers via an http filter that are outlined here for caching, HSTS, etc. -
hsts
boolean hsts
When true, will inject the following headers into the response:Strict-Transport-Security: ...
. -
hstsOptions
String hstsOptions
Control the value of theStrict-Transport-Security
header. -
xcontent
boolean xcontent
When true, will inject the following headers into the response:X-Content-Type-Options: nosniff
. -
xframe
boolean xframe
When true, will inject the following headers into the response:X-Frame-Options: DENY
. -
xframeOptions
String xframeOptions
Will inject values into theX-Frame-Options
header into the response. -
xss
boolean xss
When true, will inject the following headers into the response:X-XSS-Protection: 1; mode=block
. -
xssOptions
String xssOptions
Will inject values into theX-XSS-Protection
header into the response.
-
-
Class org.apereo.cas.configuration.model.core.web.security.HttpRequestProperties
class HttpRequestProperties extends Object implements Serializable- serialVersionUID:
- -5175966163542099866L
-
Serialized Fields
-
allowMultiValueParameters
boolean allowMultiValueParameters
Whether CAS should accept multi-valued parameters in incoming requests. Example block would to prevent requests where more than oneservice
parameter is specified. -
charactersToForbid
String charactersToForbid
Characters to block in incoming requests.none
is a special value. Separate characters by a space. -
cors
HttpCorsRequestProperties cors
Control CORS settings for requests. -
customHeaders
Map<String,
String> customHeaders Custom response headers to inject into the response as needed. -
header
HttpHeadersRequestProperties header
Enforce request header options and security settings. -
onlyPostParams
String onlyPostParams
Parameters that are only allowed and accepted during posts. -
paramsToCheck
String paramsToCheck
Parameters to sanitize and cross-check in incoming requests. Separate parameter names by a comma. The special value * instructs the Filter to check all parameters. -
patternToBlock
String patternToBlock
Specify a regular expression that would be checked against the request URL. If a successful match is found, the request would be blocked. -
web
HttpWebRequestProperties web
Control http request settings.
-
-
Class org.apereo.cas.configuration.model.core.web.security.HttpWebRequestProperties
class HttpWebRequestProperties extends Object implements Serializable- serialVersionUID:
- -4711604991237695091L
-
Serialized Fields
-
encoding
String encoding
Control and specify the encoding for all http requests. -
forceEncoding
boolean forceEncoding
Whether specified encoding should be forced for every request. Whether the specified encoding is supposed to override existing request and response encodings
-
-
-
Package org.apereo.cas.configuration.model.core.web.tomcat
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheSslHostConfigCertificateProperties
class CasEmbeddedApacheSslHostConfigCertificateProperties extends Object implements Serializable- serialVersionUID:
- -5412170529081298822L
-
Serialized Fields
-
certificateChainFile
String certificateChainFile
Name of the file that contains the certificate chain associated with the server certificate used. The format is PEM-encoded. The certificate chain used for Tomcat should not include the server certificate as its first element. Note that when using more than one certificate for different types, they all must use the same certificate chain. -
certificateFile
String certificateFile
Name of the file that contains the server certificate. The format is PEM-encoded. In addition to the certificate, the file can also contain as optional elements DH parameters and/or an EC curve name for ephemeral keys, as generated by openssl dhparam and openssl ecparam, respectively. The output of the respective OpenSSL command can be concatenated to the certificate file. -
certificateKeyFile
String certificateKeyFile
Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of certificateFile and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). -
certificateKeyPassword
String certificateKeyPassword
The password used to access the private key associated with the server certificate from the specified file. -
type
String type
The type of certificate. This is used to identify the ciphers that are compatible with the certificate. It must be one of UNDEFINED, RSA, DSS or EC. If only one Certificate is nested within a SSLHostConfig then this attribute is not required and will default to UNDEFINED. If multiple Certificates are nested within a SSLHostConfig then this attribute is required and each Certificate must have a unique type.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheSslHostConfigProperties
class CasEmbeddedApacheSslHostConfigProperties extends Object implements Serializable- serialVersionUID:
- -32143821503580896L
-
Serialized Fields
-
caCertificateFile
String caCertificateFile
Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded. -
certificates
List<CasEmbeddedApacheSslHostConfigCertificateProperties> certificates
List of certificates managed by the ssl host config. -
certificateVerification
String certificateVerification
Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. -
certificateVerificationDepth
int certificateVerificationDepth
The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used. -
enabled
boolean enabled
Enable this host config. -
hostName
String hostName
The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used. -
insecureRenegotiation
boolean insecureRenegotiation
OpenSSL only. Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used. -
protocols
String protocols
The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
- TLSv1.3
- all
The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.
Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.
Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.
Note that SSLv2 and SSLv3 are inherently unsafe.
If not specified, the default value of all will be used.
-
revocationEnabled
boolean revocationEnabled
Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used. -
sslProtocol
String sslProtocol
The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatAjpProperties
class CasEmbeddedApacheTomcatAjpProperties extends Object implements Serializable- serialVersionUID:
- -32143821503580896L
-
Serialized Fields
-
allowTrace
boolean allowTrace
A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false. -
asyncTimeout
String asyncTimeout
The default timeout for asynchronous requests in milliseconds. If not specified, this attribute is set to 10000 (10 seconds). -
attributes
Map<String,
String> attributes Additional attributes to be set on the AJP connector in form of key-value pairs. Examples include:tomcatAuthentication
: If set to true, the authentication will be done in Tomcat. Otherwise, the authenticated principal will be propagated from the native webserver and used for authorization in Tomcat. Note that this principal will have no roles associated with it. The default value is true.maxThreads
: The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled. If not specified, this attribute is set to 200. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool.keepAliveTimeout
: The number of milliseconds this Connector will wait for another AJP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute.maxCookieCount
: The maximum number of cookies that are permitted for a request. A value of less than zero means no limit. If not specified, a default value of 200 will be used.bufferSize
: The size of the output buffer to use. If less than or equal to zero, then output buffering is disabled. The default value is -1 (i.e. buffering disabled)clientCertProvider
: When client certificate information is presented in a form other than instances of java.security.cert.X509Certificate it needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the AJP connectors, the HTTP APR connector and with the org.apache.catalina.valves.SSLValve.If not specified, the default provider will be used.connectionTimeout
: The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented. The default value is infinite (i.e. no timeout).address
: For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server. A value of 127.0.0.1 indicates that the Connector will only listen on the loopback interface.
See the Apache Tomcat documentation for a full list.
-
enabled
boolean enabled
Enable AJP support in CAS for the embedded Apache Tomcat container. -
enableLookups
boolean enableLookups
Set to true if you want calls torequest.getRemoteHost()
to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are disabled. -
maxPostSize
int maxPostSize
The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The feature can be disabled by setting this attribute to a value less than or equal to 0. If not specified, this attribute is set to 2097152 (2 megabytes). -
port
int port
The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address. If the special value of 0 (zero) is used, then Tomcat will select a free port at random to use for this connector. This is typically only useful in embedded and testing applications. -
protocol
String protocol
Sets the protocol to handle incoming traffic. -
proxyPort
int proxyPort
If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort(). -
redirectPort
int redirectPort
If this Connector is supporting non-SSL requests, and a request is received for which a matchingsecurity-constraint
requires SSL transport, Catalina will automatically redirect the request to the port number specified here. -
scheme
String scheme
Set this attribute to the name of the protocol you wish to have returned by calls torequest.getScheme()
. For example, you would set this attribute tohttps
for an SSL Connector. -
secret
String secret
Set the secret that must be included with every request. -
secure
boolean secure
Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received by this Connector (you would want this on an SSL Connector). The default value is false.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatBasicAuthenticationProperties
class CasEmbeddedApacheTomcatBasicAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 1164446071136700282L
-
Serialized Fields
-
authRoles
List<String> authRoles
Add an authorization role, which is a role name that will be permitted access to the resources protected by this security constraint. -
enabled
boolean enabled
Enable Basic authentication for Tomcat. -
patterns
List<String> patterns
Add a URL pattern to be part of this web resource collection. -
securityRoles
List<String> securityRoles
Security roles for the CAS application.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatClusteringProperties
class CasEmbeddedApacheTomcatClusteringProperties extends Object implements Serializable- serialVersionUID:
- 620356002948464740L
-
Serialized Fields
-
channelSendOptions
int channelSendOptions
This option is used to set the flag that all messages sent through the SimpleTcpCluster uses. The flag decides how the messages are sent, and is a simple logical OR.- 2:
SEND_OPTIONS_SYNCHRONIZED_ACK
- 4:
SEND_OPTIONS_USE_ACK
- 8:
SEND_OPTIONS_ASYNCHRONOUS
- 2:
-
cloudMembershipProvider
String cloudMembershipProvider
Cloud membership provider, values are case sensitive and only used with clusteringTypeCLOUD
. The different providers rely on environment variables to discover other members of cluster via DNS lookups of the service name or querying kubernetes API. See code or Tomcat documentation for the environment variables that are used.-
kubernetes
will use org.apache.catalina.tribes.KubernetesMembershipProvider -
dns
will use org.apache.catalina.tribes.DNSMembershipProvider - Class implementing
org.apache.catalina.tribes.MembershipProvider
-
-
clusteringType
String clusteringType
Accepted values are:DEFAULT, CLOUD
. Type of clustering to use, set toCLOUD
if usingCloudMembershipService
. -
clusterMembers
String clusterMembers
Statically register members in the cluster. The syntax is:address:port:index
-
enabled
boolean enabled
Enable tomcat session clustering. -
expireSessionsOnShutdown
boolean expireSessionsOnShutdown
When a web application is being shutdown, Tomcat issues an expire call to each session to notify all the listeners. If you wish for all sessions to expire on all nodes when a shutdown occurs on one node, set this value to true. Default value is false. -
managerType
String managerType
Accepted values are:DELTA, BACKUP
. Enable all-to-all session replication using the DeltaManager to replicate session deltas. By all-to-all we mean that the session gets replicated to all the other nodes in the cluster. This works great for smaller cluster but we don't recommend it for larger clusters(a lot of Tomcat nodes). Also when using the delta manager it will replicate to all nodes, even nodes that don't have the application deployed. To get around this problem, you'll want to use the BackupManager. This manager only replicates the session data to one backup node, and only to nodes that have the application deployed. Downside of the BackupManager: not quite as battle tested as the delta manager. -
membershipAddress
String membershipAddress
Multicast address for membership. The multicast address that the membership will broadcast its presence and listen for other heartbeats on. The default value is 228.0.0.4 Make sure your network is enabled for multicast traffic. The multicast address, in conjunction with the port is what creates a cluster group. To divide up your farm into several different group, or to split up QA from production, change the port or the address -
membershipDropTime
int membershipDropTime
The membership component will time out members and notify the Channel if a member fails to send a heartbeat within a give time. The default value is 3000 ms. This means, that if a heartbeat is not received from a member in that timeframe, the membership component will notify the cluster of this. On a high latency network you may wish to increase this value, to protect against false positives. Apache Tribes also provides a TcpFailureDetector that will verify a timeout using a TCP connection when a heartbeat timeout has occurred. This protects against false positives. -
membershipFrequency
int membershipFrequency
The frequency in milliseconds in which heartbeats are sent out. The default value is 500 ms. In most cases the default value is sufficient. Changing this value, changes the interval in between heartbeats. -
membershipLocalLoopbackDisabled
boolean membershipLocalLoopbackDisabled
Membership uses multicast, it will call java.net.MulticastSocket.setLoopbackMode(localLoopbackDisabled). When localLoopbackDisabled==true multicast messages will not reach other nodes on the same local machine. The default is false. -
membershipPort
int membershipPort
Multicast port (the port and the address together determine cluster membership. The multicast port, the default value is 45564 The multicast port, in conjunction with the address is what creates a cluster group. To divide up your farm into several different group, or to split up QA from production, change the port or the address -
membershipRecoveryCounter
int membershipRecoveryCounter
Membership uses multicast, it will call java.net.MulticastSocket.setLoopbackMode(localLoopbackDisabled). When localLoopbackDisabled==true multicast messages will not reach other nodes on the same local machine. The default is false. -
membershipRecoveryEnabled
boolean membershipRecoveryEnabled
In case of a network failure, Java multicast socket don't transparently fail over, instead the socket will continuously throwIOException
upon each receive request. When recovery-enabled is set to true, this will close the multicast socket and open a new socket with the same properties as defined above. The default is true. -
receiverAddress
String receiverAddress
The address (network interface) to listen for incoming traffic. -
receiverAutoBind
int receiverAutoBind
Default value is 100. Use this value if you wish to automatically avoid port conflicts the cluster receiver will try to open a server socket on the port attribute port, and then work up autoBind number of times. -
receiverMaxThreads
int receiverMaxThreads
Maximum threads configured for the listener. The maximum number of threads in the receiver thread pool. The default value is 6 Adjust this value relative to the number of nodes in the cluster, the number of messages being exchanged and the hardware you are running on. A higher value doesn't mean more efficiency, tune this value according to your own test results. -
receiverPort
int receiverPort
The listen port for incoming data. The default value is4000
. To avoid port conflicts the receiver will automatically bind to a free port. So for example, if port is4000
, and autoBind is set to 10, then the receiver will open up a server socket on the first available port in the range 4000-4009. -
receiverTimeout
int receiverTimeout
Listener timeout. The value in milliseconds for the polling timeout in the NioReceiver. On older versions of the JDK there have been bugs, that should all now be cleared out where the selector never woke up. The default value is a very high 5000 milliseconds.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatCsrfProperties
class CasEmbeddedApacheTomcatCsrfProperties extends Object implements Serializable- serialVersionUID:
- -32143821503580896L
-
Serialized Fields
-
enabled
boolean enabled
Enable filter.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatExtendedAccessLogProperties
class CasEmbeddedApacheTomcatExtendedAccessLogProperties extends Object implements Serializable- serialVersionUID:
- 6738161402499196038L
-
Serialized Fields
-
directory
String directory
Directory name for extended log. -
enabled
boolean enabled
Flag to indicate whether extended log facility is enabled. -
pattern
String pattern
String representing extended log pattern. -
prefix
String prefix
File name prefix for extended log. -
suffix
String suffix
File name suffix for extended log.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatHttpProperties
class CasEmbeddedApacheTomcatHttpProperties extends Object implements Serializable- serialVersionUID:
- -8809922027350085888L
-
Serialized Fields
-
attributes
Map<String,
String> attributes Additional attributes to be set on the connector. -
enabled
boolean enabled
Enable a separate port for the embedded container for HTTP access. -
port
int port
The HTTP port to use. -
protocol
String protocol
HTTP protocol to use. -
redirectPort
int redirectPort
If this Connector is supporting non-SSL requests, this will automatically redirect the request to the port number specified here. Matching security constraints that require SSL transport will be auto-defined. -
scheme
String scheme
Scheme used for the connector. -
secure
boolean secure
Whether connector should run in secure mode.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatHttpProxyProperties
class CasEmbeddedApacheTomcatHttpProxyProperties extends Object implements Serializable- serialVersionUID:
- 9129851352067677264L
-
Serialized Fields
-
attributes
Map<String,
String> attributes Custom attributes to set on the proxy connector. -
enabled
boolean enabled
Enable the container running in proxy mode. -
protocol
String protocol
Proxy protocol to use. -
proxyPort
int proxyPort
Proxy port for the proxy. -
redirectPort
int redirectPort
Redirect port for the proxy. -
scheme
String scheme
Scheme used for the proxy. -
secret
String secret
Set the secret that must be included with every request. -
secure
boolean secure
Whether proxy should run in secure mode.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatProperties
class CasEmbeddedApacheTomcatProperties extends Object implements Serializable- serialVersionUID:
- -99143821503580896L
-
Serialized Fields
-
ajp
CasEmbeddedApacheTomcatAjpProperties ajp
Embedded container AJP settings. -
basicAuthn
CasEmbeddedApacheTomcatBasicAuthenticationProperties basicAuthn
Enable basic authentication for the embedded tomcat. -
clustering
CasEmbeddedApacheTomcatClusteringProperties clustering
Embedded container tomcat clustering options. -
csrf
CasEmbeddedApacheTomcatCsrfProperties csrf
Enable Tomcat's CSRF filter. -
extAccessLog
CasEmbeddedApacheTomcatExtendedAccessLogProperties extAccessLog
Configuration properties for access logging beyond defaults. -
http
List<CasEmbeddedApacheTomcatHttpProperties> http
Embedded container HTTP port settings as an additional option. -
httpProxy
CasEmbeddedApacheTomcatHttpProxyProperties httpProxy
Http proxy configuration properties. In the event that you decide to run CAS without any SSL configuration in the embedded Tomcat container and on a non-secure port yet wish to customize the connector configuration that is linked to the running port (i.e. 8080), this setting may apply. -
remoteAddr
CasEmbeddedApacheTomcatRemoteAddressProperties remoteAddr
Enable Tomcat's RemoteAddress filter. -
remoteUserValve
CasEmbeddedApacheTomcatRemoteUserValveProperties remoteUserValve
Embedded container's remote-user valve setting. -
rewriteValve
CasEmbeddedApacheTomcatRewriteValveProperties rewriteValve
Embedded container's rewrite valve setting. -
serverName
String serverName
Controls theserver
attribute of the tomcat connector. -
socket
CasEmbeddedApacheTomcatSocketProperties socket
Embedded container socket settings. The NIO and NIO2 implementation support the Java TCP socket attributes in addition to the common Connector and HTTP attributes. -
sslValve
CasEmbeddedApacheTomcatSslValveProperties sslValve
Embedded container's SSL valve setting.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatRemoteAddressProperties
class CasEmbeddedApacheTomcatRemoteAddressProperties extends Object implements Serializable- serialVersionUID:
- -32143821503580896L
-
Serialized Fields
-
allowedClientIpAddressRegex
String allowedClientIpAddressRegex
A regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote address matches a deny pattern. -
deniedClientIpAddressRegex
String deniedClientIpAddressRegex
A regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the accept attribute. -
enabled
boolean enabled
Enable filter.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatRemoteUserValveProperties
class CasEmbeddedApacheTomcatRemoteUserValveProperties extends Object implements Serializable- serialVersionUID:
- -32143821503580896L
-
Serialized Fields
-
allowedIpAddressRegex
String allowedIpAddressRegex
A regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted. -
remoteUserHeader
String remoteUserHeader
The name of the remote-user header that should be passed onto the http servlet request. Leaving this setting as blank or undefined will deactivate the valve altogether. The header is typically passed down to tomcat via proxies, load balancers, etc.
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatRewriteValveProperties
class CasEmbeddedApacheTomcatRewriteValveProperties extends Object implements Serializable- serialVersionUID:
- 9030094143985594411L
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatSocketProperties
class CasEmbeddedApacheTomcatSocketProperties extends Object implements Serializable- serialVersionUID:
- 3280755966422957481L
-
Serialized Fields
-
appReadBufSize
int appReadBufSize
Each connection that is opened up in Tomcat get associated with a read ByteBuffer. This attribute controls the size of this buffer. By default this read buffer is sized at 8192 bytes. For lower concurrency, you can increase this to buffer more data. For an extreme amount of keep alive connections, decrease this number or increase your heap size. -
appWriteBufSize
int appWriteBufSize
Each connection that is opened up in Tomcat get associated with a write ByteBuffer. This attribute controls the size of this buffer. By default this write buffer is sized at 8192 bytes. For low concurrency you can increase this to buffer more response data. For an extreme amount of keep alive connections, decrease this number or increase your heap size. The default value here is pretty low, you should up it if you are not dealing with tens of thousands concurrent connections. -
bufferPool
int bufferPool
The NIO connector uses a class called NioChannel that holds elements linked to a socket. To reduce garbage collection, the NIO connector caches these channel objects. This value specifies the size of this cache. The default value is 500, and represents that the cache will hold 500 NioChannel objects. Other values are -1 for unlimited cache and 0 for no cache. -
performanceBandwidth
int performanceBandwidth
An int expressing the relative importance of high bandwidth. Performance preferences are described by three integers whose values indicate the relative importance of short connection time, low latency, and high bandwidth. The absolute values of the integers are irrelevant; in order to choose a protocol the values are compared, with larger values indicating stronger preferences. Negative values disable the setting. If the application prefers short connection time over both low latency and high bandwidth, for example, then it could invoke this method with the values (1, 0, 0). If the application prefers high bandwidth above low latency, and low latency above short connection time, then it could invoke this method with the values (0, 1, 2). -
performanceConnectionTime
int performanceConnectionTime
An int expressing the relative importance of a short connection time. Performance preferences are described by three integers whose values indicate the relative importance of short connection time, low latency, and high bandwidth. The absolute values of the integers are irrelevant; in order to choose a protocol the values are compared, with larger values indicating stronger preferences. Negative values disable the setting. If the application prefers short connection time over both low latency and high bandwidth, for example, then it could invoke this method with the values (1, 0, 0). If the application prefers high bandwidth above low latency, and low latency above short connection time, then it could invoke this method with the values (0, 1, 2). -
performanceLatency
int performanceLatency
An int expressing the relative importance of low latency. Performance preferences are described by three integers whose values indicate the relative importance of short connection time, low latency, and high bandwidth. The absolute values of the integers are irrelevant; in order to choose a protocol the values are compared, with larger values indicating stronger preferences. Negative values disable the setting. If the application prefers short connection time over both low latency and high bandwidth, for example, then it could invoke this method with the values (1, 0, 0). If the application prefers high bandwidth above low latency, and low latency above short connection time, then it could invoke this method with the values (0, 1, 2).
-
-
Class org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatSslValveProperties
class CasEmbeddedApacheTomcatSslValveProperties extends Object implements Serializable- serialVersionUID:
- 3164446071136700242L
-
Serialized Fields
-
enabled
boolean enabled
Enable the SSL valve for apache tomcat. -
sslCipherHeader
String sslCipherHeader
Allows setting a custom name for the ssl_cipher header. If not specified, the default of ssl_cipher is used. -
sslCipherUserKeySizeHeader
String sslCipherUserKeySizeHeader
Allows setting a custom name for the ssl_cipher_usekeysize header. If not specified, the default of ssl_cipher_usekeysize is used. -
sslClientCertHeader
String sslClientCertHeader
Allows setting a custom name for the ssl_client_cert header. If not specified, the default of ssl_client_cert is used. -
sslSessionIdHeader
String sslSessionIdHeader
Allows setting a custom name for the ssl_session_id header. If not specified, the default of ssl_session_id is used.
-
-
-
Package org.apereo.cas.configuration.model.core.web.view
-
Class org.apereo.cas.configuration.model.core.web.view.Cas10ViewProperties
class Cas10ViewProperties extends Object implements Serializable- serialVersionUID:
- -1154879759474698223L
-
Serialized Fields
-
attributeRendererType
Cas10ViewProperties.ValidationAttributesRendererTypes attributeRendererType
Indicates how attributes in the final validation response should be formatted.
-
-
Class org.apereo.cas.configuration.model.core.web.view.Cas20ProxyViewProperties
class Cas20ProxyViewProperties extends Object implements Serializable- serialVersionUID:
- 6765987342872282599L
-
Class org.apereo.cas.configuration.model.core.web.view.Cas20ViewProperties
class Cas20ViewProperties extends Object implements Serializable- serialVersionUID:
- -7954879759474698003L
-
Serialized Fields
-
failure
String failure
The relative location of the CAS3 failure view bean. -
proxy
Cas20ProxyViewProperties proxy
Proxy views and settings. -
success
String success
The relative location of the CAS2 success view bean. -
v3ForwardCompatible
boolean v3ForwardCompatible
Whether v2 protocol support should be forward compatible to act like v3 and match its response, mainly for attribute release.
-
-
Class org.apereo.cas.configuration.model.core.web.view.Cas30ViewProperties
class Cas30ViewProperties extends Object implements Serializable- serialVersionUID:
- 2345062034300650858L
-
Serialized Fields
-
attributeRendererType
Cas30ViewProperties.ValidationAttributesRendererTypes attributeRendererType
Indicates how attributes in the final validation response should be formatted. -
failure
String failure
The relative location of the CAS3 success validation bean. -
success
String success
The relative location of the CAS3 success validation bean.
-
-
Class org.apereo.cas.configuration.model.core.web.view.CustomLoginFieldViewProperties
class CustomLoginFieldViewProperties extends Object implements Serializable- serialVersionUID:
- -7122345678378395582L
-
Serialized Fields
-
converter
String converter
The id of the custom converter to use to convert bound property values. -
messageBundleKey
String messageBundleKey
The key for this field found in the message bundle used to present a label/text in CAS views. -
required
boolean required
Whether this field is required to have a value.
-
-
Class org.apereo.cas.configuration.model.core.web.view.RestfulViewProperties
class RestfulViewProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
Class org.apereo.cas.configuration.model.core.web.view.ViewProperties
class ViewProperties extends Object implements Serializable- serialVersionUID:
- 2719748442042197738L
-
Serialized Fields
-
authorizedServicesOnSuccessfulLogin
boolean authorizedServicesOnSuccessfulLogin
When set totrue
, attempts to calculate and display the list of authorized services for the authenticated user on successful authentication attempts. -
cas1
Cas10ViewProperties cas1
CAS1 views and locations. -
cas2
Cas20ViewProperties cas2
CAS2 views and locations. -
cas3
Cas30ViewProperties cas3
CAS3 views and locations. -
customLoginFormFields
Map<String,
CustomLoginFieldViewProperties> customLoginFormFields Additional custom fields that should be displayed on the login form and would be bound to the authentication credential during form-authentication to carry additional metadata and tags. Key is the name of the custom field. -
defaultRedirectUrl
String defaultRedirectUrl
The default redirect URL if none is specified after a successful login or logout event. For logout redirects, this setting is closely related to and requiresLogoutProperties.isFollowServiceRedirects()
. This URL must be registered i the CAS server's service registry. -
rest
RestfulViewProperties rest
Resolve CAS views via REST. -
templatePrefixes
List<String> templatePrefixes
Comma separated paths to where CAS templates may be found. Example might beclasspath:templates,file:/templates
. -
themeSourceType
ViewProperties.ThemeSourceTypes themeSourceType
How to search for theme resource bundles and how to deal with multiple property files found for a given theme. TheViewProperties.ThemeSourceTypes.DEFAULT
type uses the first theme resource bundle found across the template prefixes. TheViewProperties.ThemeSourceTypes.AGGREGATE
type combines all the bundles found across template prefixes with the last prefix overriding the first.
-
-
-
Package org.apereo.cas.configuration.model.support
-
Class org.apereo.cas.configuration.model.support.ConnectionPoolingProperties
class ConnectionPoolingProperties extends Object implements Serializable- serialVersionUID:
- -5307463292890944799L
-
Serialized Fields
-
keepAliveTime
String keepAliveTime
This property controls the keepalive interval for a connection in the pool. An in-use connection will never be tested by the keepalive thread, only when it is idle will it be tested. Default is zero, which disables this feature. -
maximumLifetime
String maximumLifetime
This property controls the maximum lifetime of a connection in the pool. When a connection reaches this timeout, even if recently used, it will be retired from the pool. An in-use connection will never be retired, only when it is idle will it be removed. -
maxSize
int maxSize
Controls the maximum number of connections to keep in the pool, including both idle and in-use connections. -
maxWait
String maxWait
Sets the maximum time in seconds that this data source will wait while attempting to connect to a database.A value of zero specifies that the timeout is the default system timeout if there is one; otherwise, it specifies that there is no timeout.
-
minSize
int minSize
Controls the minimum size that the pool is allowed to reach, including both idle and in-use connections. -
name
String name
Set the name of the connection pool. This is primarily used for the MBean to uniquely identify the pool configuration. -
suspension
boolean suspension
Whether or not pool suspension is allowed.There is a performance impact when pool suspension is enabled. Unless you need it (for a redundancy system for example) do not enable it.
-
timeoutMillis
long timeoutMillis
The maximum number of milliseconds that the pool will wait for a connection to be validated as alive.
-
-
-
Package org.apereo.cas.configuration.model.support.account
-
Class org.apereo.cas.configuration.model.support.account.AccountManagementRegistrationCoreProperties
class AccountManagementRegistrationCoreProperties extends Object implements Serializable- serialVersionUID:
- -4679683905941523034L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings on how to generate registration requests. -
expiration
String expiration
How long in minutes should the registration link remain valid. -
includeClientIpAddress
boolean includeClientIpAddress
Whether the registration token will contain the client IP Address. -
includeServerIpAddress
boolean includeServerIpAddress
Whether the registration token will contain the server IP Address. -
passwordPolicyPattern
String passwordPolicyPattern
A String value representing password policy regex pattern. Minimum 8 and Maximum 10 characters at least 1 Uppercase Alphabet, 1 Lowercase Alphabet, 1 Number and 1 Special Character. -
registrationProperties
SpringResourceProperties registrationProperties
Registration properties. -
securityQuestionsCount
int securityQuestionsCount
Whether account registration should present security questions and how many, to complete the registration process.
-
-
Class org.apereo.cas.configuration.model.support.account.AccountManagementRegistrationProperties
class AccountManagementRegistrationProperties extends Object implements Serializable- serialVersionUID:
- -4679683905941523034L
-
Serialized Fields
-
core
AccountManagementRegistrationCoreProperties core
Core settings. -
googleRecaptcha
GoogleRecaptchaProperties googleRecaptcha
Google reCAPTCHA settings. -
mail
EmailProperties mail
Email settings for notifications. -
provisioning
AccountManagementRegistrationProvisioningProperties provisioning
Provisioning settings. -
sms
SmsProperties sms
SMS settings for notifications. -
webflow
WebflowAutoConfigurationProperties webflow
The webflow configuration.
-
-
-
Package org.apereo.cas.configuration.model.support.account.provision
-
Class org.apereo.cas.configuration.model.support.account.provision.AccountManagementRegistrationProvisioningProperties
class AccountManagementRegistrationProvisioningProperties extends Object implements Serializable- serialVersionUID:
- -1279683905942523034L
-
Serialized Fields
-
groovy
GroovyAccountManagementRegistrationProvisioningProperties groovy
Provision accounts via Groovy. -
rest
RestfulAccountManagementRegistrationProvisioningProperties rest
Provision accounts via REST. -
scim
ScimAccountManagementRegistrationProvisioningProperties scim
Provision accounts via SCIM. -
syncope
SyncopeAccountManagementRegistrationProvisioningProperties syncope
Provision accounts via Syncope.
-
-
Class org.apereo.cas.configuration.model.support.account.provision.GroovyAccountManagementRegistrationProvisioningProperties
class GroovyAccountManagementRegistrationProvisioningProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 6855936824474022021L
-
Class org.apereo.cas.configuration.model.support.account.provision.RestfulAccountManagementRegistrationProvisioningProperties
class RestfulAccountManagementRegistrationProvisioningProperties extends BaseRestEndpointProperties implements Serializable- serialVersionUID:
- 6855936824474022021L
-
Class org.apereo.cas.configuration.model.support.account.provision.ScimAccountManagementRegistrationProvisioningProperties
class ScimAccountManagementRegistrationProvisioningProperties extends Object implements Serializable- serialVersionUID:
- 6833936824474022021L
-
Serialized Fields
-
enabled
boolean enabled
Whether provisioning to SCIM targets should be enabled for delegated authentication attempts.
-
-
-
Package org.apereo.cas.configuration.model.support.acme
-
Class org.apereo.cas.configuration.model.support.acme.AcmeProperties
class AcmeProperties extends Object implements Serializable- serialVersionUID:
- -561637865919944706L
-
Serialized Fields
-
domainChain
SpringResourceProperties domainChain
Define the domain's chain certificate file as a resource. -
domainCsr
SpringResourceProperties domainCsr
Define the domains's CSR file as a resource. -
domainKey
SpringResourceProperties domainKey
Define the domain's key file as a resource. -
domains
List<String> domains
List of domains or sub domains that are requesting a certificate renewal. -
keySize
int keySize
Indicate the key length/size used when requesting/generating keys. -
retryAttempts
int retryAttempts
Number of attempts to retry when executing certificate orders or checking for status of an existing order or challenge acknowledgement. -
retryInternal
String retryInternal
Delay interval between to retry attempts when executing certificate orders or checking for status of an existing order or challenge acknowledgement. -
serverUrl
String serverUrl
Server url to contact, when requesting certificates. Useacme://letsencrypt.org
for production. -
termsOfUseAccepted
boolean termsOfUseAccepted
Flag that indicates ACME terms of use has been accepted by the user. -
userKey
SpringResourceProperties userKey
Define the user's key file as a resource.
-
-
-
Package org.apereo.cas.configuration.model.support.analytics
-
Class org.apereo.cas.configuration.model.support.analytics.GoogleAnalyticsCookieProperties
class GoogleAnalyticsCookieProperties extends CookieProperties implements Serializable- serialVersionUID:
- -5432498833437602657L
-
Serialized Fields
-
attributeName
String attributeName
Attribute name to collect from the authentication event to serve as the cookie value. -
attributeValuePattern
String attributeValuePattern
A regular expression pattern that is tested against attribute values to only release and allow those that produce a successful match.
-
-
Class org.apereo.cas.configuration.model.support.analytics.GoogleAnalyticsProperties
class GoogleAnalyticsProperties extends Object implements Serializable- serialVersionUID:
- 5425678120443123345L
-
Serialized Fields
-
cookie
GoogleAnalyticsCookieProperties cookie
Cookie settings to be used with google analytics. -
googleAnalyticsTrackingId
String googleAnalyticsTrackingId
The tracking id. Configuring the tracking activated google analytics in CAS on UI views, etc.
-
-
-
Package org.apereo.cas.configuration.model.support.aup
-
Class org.apereo.cas.configuration.model.support.aup.AcceptableUsagePolicyCoreProperties
class AcceptableUsagePolicyCoreProperties extends Object implements Serializable- serialVersionUID:
- -7703477581675908899L
-
Serialized Fields
-
aupAttributeName
String aupAttributeName
AUP attribute to choose in order to determine whether policy has been accepted or not. The attribute is expected to contain a boolean value wheretrue
indicates policy has been accepted andfalse
indicates otherwise. The attribute is fetched for the principal from configured sources and compared for the right match to determine policy status. If the attribute is not found, the policy status is considered as denied. -
aupOmitIfAttributeMissing
boolean aupOmitIfAttributeMissing
By default, the policy status is considered as denied when the attributeAcceptableUsagePolicyCoreProperties.aupAttributeName
is not found. If set totrue
, the policy status in those cases is considered as accepted. -
aupPolicyTermsAttributeName
String aupPolicyTermsAttributeName
AUP attribute to choose whose single value dictates how CAS should fetch the policy terms from the relevant message bundles. -
enabled
boolean enabled
Allows AUP to be turned off on startup.
-
-
Class org.apereo.cas.configuration.model.support.aup.AcceptableUsagePolicyProperties
class AcceptableUsagePolicyProperties extends Object implements Serializable- serialVersionUID:
- -7703477581675908899L
-
Serialized Fields
-
core
AcceptableUsagePolicyCoreProperties core
Core configuration settings that control common AUP behavior are captured here. -
groovy
GroovyAcceptableUsagePolicyProperties groovy
Control AUP Groovy. -
inMemory
InMemoryAcceptableUsagePolicyProperties inMemory
Control AUP backed by runtime's memory. -
jdbc
JdbcAcceptableUsagePolicyProperties jdbc
Control AUP via JDBC. -
ldap
List<LdapAcceptableUsagePolicyProperties> ldap
Control AUP via LDAP. -
mongo
MongoDbAcceptableUsagePolicyProperties mongo
Control AUP via a MongoDb database resource. -
redis
RedisAcceptableUsagePolicyProperties redis
Control AUP via Redis. -
rest
RestAcceptableUsagePolicyProperties rest
Control AUP via REST.
-
-
Class org.apereo.cas.configuration.model.support.aup.GroovyAcceptableUsagePolicyProperties
class GroovyAcceptableUsagePolicyProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 9164227843747126083L
-
Class org.apereo.cas.configuration.model.support.aup.InMemoryAcceptableUsagePolicyProperties
class InMemoryAcceptableUsagePolicyProperties extends Object implements Serializable- serialVersionUID:
- 8164227843747126083L
-
Serialized Fields
-
scope
InMemoryAcceptableUsagePolicyProperties.Scope scope
Scope of map where the aup selection is stored.
-
-
Class org.apereo.cas.configuration.model.support.aup.JdbcAcceptableUsagePolicyProperties
class JdbcAcceptableUsagePolicyProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -1325011278378393385L
-
Serialized Fields
-
aupColumn
String aupColumn
The column to store the AUP attribute. May differ from the profile attribute defined byAcceptableUsagePolicyCoreProperties.getAupAttributeName()
. SQL query can be further customized by settingJdbcAcceptableUsagePolicyProperties.sqlUpdate
. -
principalIdAttribute
String principalIdAttribute
The profile attribute to extract the value for theJdbcAcceptableUsagePolicyProperties.principalIdColumn
used in the WHERE clause ofJdbcAcceptableUsagePolicyProperties.sqlUpdate
. If empty, the principal ID will be used. -
principalIdColumn
String principalIdColumn
The column to identify the principal. SQL query can be further customized by settingJdbcAcceptableUsagePolicyProperties.sqlUpdate
. -
sqlSelect
String sqlSelect
The query template to search for the AUP attribute. %s placeholders representJdbcAcceptableUsagePolicyProperties.aupColumn
,JdbcAcceptableUsagePolicyProperties.tableName
,JdbcAcceptableUsagePolicyProperties.principalIdColumn
settings. -
sqlUpdate
String sqlUpdate
The query template to update the AUP attribute. %s placeholders representJdbcAcceptableUsagePolicyProperties.tableName
,JdbcAcceptableUsagePolicyProperties.aupColumn
,JdbcAcceptableUsagePolicyProperties.principalIdColumn
settings. -
tableName
String tableName
The table name in the database that holds the AUP attribute to update for the user.
-
-
Class org.apereo.cas.configuration.model.support.aup.LdapAcceptableUsagePolicyProperties
class LdapAcceptableUsagePolicyProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -7991011278378393382L
-
Serialized Fields
-
aupAcceptedAttributeValue
String aupAcceptedAttributeValue
Attribute value that indicates whether AUP has been accepted for the LDAP record.
-
-
Class org.apereo.cas.configuration.model.support.aup.MongoDbAcceptableUsagePolicyProperties
class MongoDbAcceptableUsagePolicyProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -1918436901491275547L
-
Class org.apereo.cas.configuration.model.support.aup.RedisAcceptableUsagePolicyProperties
class RedisAcceptableUsagePolicyProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -2147683393318585262L
-
Class org.apereo.cas.configuration.model.support.aup.RestAcceptableUsagePolicyProperties
class RestAcceptableUsagePolicyProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
-
Package org.apereo.cas.configuration.model.support.aws
-
Class org.apereo.cas.configuration.model.support.aws.AmazonS3ServiceRegistryProperties
class AmazonS3ServiceRegistryProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -6790277338807046269L
-
Class org.apereo.cas.configuration.model.support.aws.AmazonSecurityTokenServiceProperties
class AmazonSecurityTokenServiceProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- 5426637051495147084L
-
Serialized Fields
-
principalAttributeName
String principalAttributeName
Attribute name that must be found and resolved for the principal to authorize the user to proceed with obtaining credentials. -
principalAttributeValue
String principalAttributeValue
Attribute value, defined as a regex pattern that must be found and resolved for the principal to authorize the user to proceed with obtaining credentials. -
rbacEnabled
boolean rbacEnabled
When set totrue
, credentials will be obtained based on roles as attributes resolved for the user. Typically, you could use roles wthin your account or for cross-account access.When set to
true
, theAmazonSecurityTokenServiceProperties.getPrincipalAttributeName()
must containroleArn
s as values.
-
-
Class org.apereo.cas.configuration.model.support.aws.BaseAmazonWebServicesProperties
class BaseAmazonWebServicesProperties extends Object implements Serializable- serialVersionUID:
- 6426637051495147084L
-
Serialized Fields
-
clientExecutionTimeout
String clientExecutionTimeout
Client execution timeout. -
connectionTimeout
String connectionTimeout
Connection timeout. -
credentialAccessKey
String credentialAccessKey
Use access-key provided by AWS to authenticate. -
credentialSecretKey
String credentialSecretKey
Use secret key provided by AWS to authenticate. -
endpoint
String endpoint
AWS custom endpoint. -
localAddress
String localAddress
Local address. -
maxConnections
int maxConnections
Maximum connections setting. -
profileName
String profileName
Profile name to use. -
profilePath
String profilePath
Profile path. -
proxyHost
String proxyHost
Optionally specifies the proxy host to connect through. -
proxyPassword
String proxyPassword
Optionally specifies the proxy password to connect through. -
proxyUsername
String proxyUsername
Optionally specifies the proxy username to connect through. -
region
String region
AWS region used. -
retryMode
String retryMode
Outline the requested retry mode. Accepted values areSTANDARD, LEGACY
. -
socketTimeout
String socketTimeout
Socket timeout. -
useReaper
boolean useReaper
Flag that indicates whether to use reaper.
-
-
-
Package org.apereo.cas.configuration.model.support.azuread
-
Class org.apereo.cas.configuration.model.support.azuread.AzureActiveDirectoryAttributesProperties
class AzureActiveDirectoryAttributesProperties extends Object implements Serializable- serialVersionUID:
- -12055975558426360L
-
Serialized Fields
-
apiBaseUrl
String apiBaseUrl
Base API url used to contact microsoft graph for calls. -
attributes
String attributes
Comma-separated attributes and user properties to fetch from microsoft graph. If attributes are specified here, they would be the only ones requested and fetched. If this field is left blank, a default set of attributes are fetched and returned. -
caseInsensitive
boolean caseInsensitive
Whether attribute repository should consider the underlying attribute names in a case-insensitive manner. -
clientId
String clientId
Client id of the registered app in microsoft azure portal. -
clientSecret
String clientSecret
Client secret of the registered app in microsoft azure portal. -
domain
String domain
Domain that is appended to usernames when doing lookups. The@
is automatically included. -
grantType
String grantType
Grant type used to fetch access tokens; defaults toclient_credentials
. -
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
loggingLevel
String loggingLevel
Adjust the logging level of the API calls. Defaults tobasic
. Accepted values arenone,headers,basic,body
. -
loginBaseUrl
String loginBaseUrl
Base login url used to fetch access tokens. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
resource
String resource
Resource to fetch access tokens for; defaults to the graph api url. -
scope
String scope
Scope used when fetching access tokens. -
tenant
String tenant
The microsoft tenant id.
-
-
Class org.apereo.cas.configuration.model.support.azuread.AzureActiveDirectoryAuthenticationProperties
class AzureActiveDirectoryAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -21355975558426360L
-
Serialized Fields
-
clientId
String clientId
Client id of the application. -
clientSecret
String clientSecret
Client secret of the registered app in microsoft azure portal. -
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
enabled
boolean enabled
Enable authentication against Azure active directory. -
loginUrl
String loginUrl
This URL of the security token service that CAS goes to for acquiring tokens for resources and users This URL allows CAS to establish what is called an 'authority'. You can think of the authority as the directory issuing the identities/tokens. The login URL here is then composed ofhttps://<instance>/<tenant>
, where 'instance' is the Azure AD host (such ashttps://login.microsoftonline.com
) and 'tenant' is the domain name (such ascontoso.onmicrosoft.com
) or tenant ID of the directory. Examples of authority URL are:https://login.microsoftonline.com/f31e6716-26e8-4651-b323-2563936b4163
: for a single tenant application defined in the tenanthttps://login.microsoftonline.com/contoso.onmicrosoft.com
: This representation is like the previous one, but uses the tenant domain name instead of the tenant Id.https://login.microsoftonline.de/contoso.de
: also uses a domain name, but in this case the Azure AD tenant admins have set a custom domain for their tenant, and the instance URL here is for the German national cloud.https://login.microsoftonline.com/common
: in the case of a multi-tenant application, that is an application available in several Azure AD tenants.- It can finally be an Active Directory Federation Services (ADFS) URL, which is recognized
with the convention that the URL should contain adfs like
https://contoso.com/adfs
.
-
name
String name
The name of the authentication handler. -
order
int order
The order of this authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
resource
String resource
Resource url for the graph API to fetch attributes. -
scope
String scope
Scope used when fetching access tokens. Multiple scopes may be separated using a comma. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated. -
tenant
String tenant
The microsoft tenant id.
-
-
-
Package org.apereo.cas.configuration.model.support.bucket4j
-
Class org.apereo.cas.configuration.model.support.bucket4j.BaseBucket4jProperties
class BaseBucket4jProperties extends Object implements Serializable- serialVersionUID:
- 1813165633105563813L
-
Serialized Fields
-
bandwidth
List<Bucket4jBandwidthLimitProperties> bandwidth
Describe the available bandwidth and the overall limitations. Multiple bandwidths allow for different policies per unit of measure. (i.e. allows 1000 tokens per 1 minute, but not often then 50 tokens per 1 second). -
blocking
boolean blocking
Whether the request should block until capacity becomes available. Consume a token from the token bucket. If a token is not available this will block until the refill adds one to the bucket. -
enabled
boolean enabled
Decide whether bucket4j functionality should be enabled.
-
-
Class org.apereo.cas.configuration.model.support.bucket4j.Bucket4jBandwidthLimitProperties
class Bucket4jBandwidthLimitProperties extends Object implements Serializable- serialVersionUID:
- -4208702997065904970L
-
Serialized Fields
-
capacity
long capacity
Number of tokens/requests that can be used within the time window. -
duration
String duration
Time window in which capacity can be allowed. -
initialTokens
long initialTokens
By default initial size of bucket equals to capacity. But sometimes, you may want to have lesser initial size, for example for case of cold start in order to prevent denial of service. -
refillCount
long refillCount
The number of tokens that should be used to refill the bucket given the specified refill duration. -
refillDuration
String refillDuration
Duration to use to refill the bucket. -
refillStrategy
Bucket4jBandwidthLimitProperties.BandwidthRefillStrategies refillStrategy
Describes how the bucket should be refilled. Specifies the speed of tokens regeneration.
-
-
-
Package org.apereo.cas.configuration.model.support.captcha
-
Class org.apereo.cas.configuration.model.support.captcha.GoogleRecaptchaProperties
class GoogleRecaptchaProperties extends Object implements Serializable- serialVersionUID:
- -8955074129123813915L
-
Serialized Fields
-
activateForIpAddressPattern
String activateForIpAddressPattern
A regular expression pattern to indicate that captcha should be activated when the remote IP address matches this pattern, and otherwise skipped and disabled. -
enabled
boolean enabled
Whether google reCAPTCHA should be enabled. -
invisible
boolean invisible
Whether google reCAPTCHA invisible should be enabled. -
position
String position
The google reCAPTCHA badge position (only if invisible is enabled). Accepted values are:bottomright
: bottom right corner, default value.bottomleft
: bottom left cornerinline
: allows to control the CSS.
-
score
double score
reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). reCAPTCHA learns by seeing real traffic on your site. For this reason, scores in a staging environment or soon after implementing may differ from production. As reCAPTCHA v3 doesn't ever interrupt the user flow, you can first run reCAPTCHA without taking action and then decide on thresholds by looking at your traffic in the admin console. By default, you can use a threshold of 0.5. -
secret
String secret
The google reCAPTCHA site secret. -
siteKey
String siteKey
The google reCAPTCHA site key. -
verifyUrl
String verifyUrl
The google reCAPTCHA endpoint for verification of tokens and input. -
version
GoogleRecaptchaProperties.RecaptchaVersions version
Indicate the version of the recaptcha api. Accepted values are:V2, V3
.
-
-
-
Package org.apereo.cas.configuration.model.support.cassandra.authentication
-
Class org.apereo.cas.configuration.model.support.cassandra.authentication.BaseCassandraProperties
class BaseCassandraProperties extends Object implements Serializable- serialVersionUID:
- 3708645268337674572L
-
Serialized Fields
-
consistencyLevel
String consistencyLevel
Query option consistency level. The consistency level set through this method will be use for queries that don't explicitly have a consistency level. Accepted values are:ALL, ANY, EACH_QUORUM, LOCAL_ONE, LOCAL_QUORUM, LOCAL_SERIAL, ONE, QUORUM, SERIAL, THREE, TWO
. -
contactPoints
List<String> contactPoints
The list of contact points to use for the new cluster. Each contact point should be defined using the syntaxaddress:port
. -
keyspace
String keyspace
Keyspace address to use where the cluster would connect. -
localDc
String localDc
Used by a DC-ware round-robin load balancing policy. This policy provides round-robin queries over the node of the local data center. It also includes in the query plans returned a configurable number of hosts in the remote data centers, but those are always tried after the local nodes. In other words, this policy guarantees that no host in a remote data center will be queried unless no host in the local data center can be reached. -
password
String password
Password to bind and establish a connection to cassandra. -
serialConsistencyLevel
String serialConsistencyLevel
Query option serial consistency level. The serial consistency level set through this method will be use for queries that don't explicitly have a serial consistency level. Accepted values are:ALL, ANY, EACH_QUORUM, LOCAL_ONE, LOCAL_QUORUM, LOCAL_SERIAL, ONE, QUORUM, SERIAL, THREE, TWO
. -
sslCipherSuites
String[] sslCipherSuites
The cipher suites to use, or empty/null to use the default ones. Note that host name validation will always be done using HTTPS algorithm. -
sslProtocols
String[] sslProtocols
Set the protocol versions enabled for use on this engine. Once the setting is set, only protocols listed in the protocols parameter are enabled for use. -
timeout
String timeout
The request timeout. This defines how long the driver will wait for a given Cassandra node to answer a query. -
username
String username
Username to bind and establish a connection to cassandra.
-
-
Class org.apereo.cas.configuration.model.support.cassandra.authentication.CassandraAuthenticationProperties
class CassandraAuthenticationProperties extends BaseCassandraProperties implements Serializable- serialVersionUID:
- 1369405266376125234L
-
Serialized Fields
-
name
String name
Name of the authentication handler. -
order
Integer order
The authentication handler order in the chain. -
passwordAttribute
String passwordAttribute
Password attribute to fetch and compare. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding settings for this authentication. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings for this authentication. -
query
String query
The authentication query to use when searching for users. -
tableName
String tableName
Table name to fetch credentials. -
usernameAttribute
String usernameAttribute
Username attribute to fetch and compare.
-
-
-
Package org.apereo.cas.configuration.model.support.cassandra.serviceregistry
-
Class org.apereo.cas.configuration.model.support.cassandra.serviceregistry.CassandraServiceRegistryProperties
class CassandraServiceRegistryProperties extends BaseCassandraProperties implements Serializable- serialVersionUID:
- -1835394847251801709L
-
-
Package org.apereo.cas.configuration.model.support.cassandra.ticketregistry
-
Class org.apereo.cas.configuration.model.support.cassandra.ticketregistry.CassandraTicketRegistryProperties
class CassandraTicketRegistryProperties extends BaseCassandraProperties implements Serializable- serialVersionUID:
- -2468250557119133004L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
dropTablesOnStartup
boolean dropTablesOnStartup
Flag that indicates whether to drop tables on start up.
-
-
-
Package org.apereo.cas.configuration.model.support.clearpass
-
Class org.apereo.cas.configuration.model.support.clearpass.ClearpassProperties
class ClearpassProperties extends Object implements Serializable- serialVersionUID:
- 6047778458053531460L
-
Serialized Fields
-
cacheCredential
boolean cacheCredential
Enable clearpass and allow CAS to cache credentials. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the password captured.
-
-
-
Package org.apereo.cas.configuration.model.support.clouddirectory
-
Class org.apereo.cas.configuration.model.support.clouddirectory.AmazonCloudDirectoryProperties
class AmazonCloudDirectoryProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- 6725526133973304269L
-
Serialized Fields
-
directoryArn
String directoryArn
Directory ARN. -
facetName
String facetName
Facet name. -
name
String name
The name of the authentication handler. -
order
int order
The order of this authentication handler in the chain. -
passwordAttributeName
String passwordAttributeName
Password attribute to choose on the entry to compare. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
schemaArn
String schemaArn
Schema ARN. -
usernameAttributeName
String usernameAttributeName
Username attribute to choose when locating accounts. -
usernameIndexPath
String usernameIndexPath
Username index path.
-
-
-
Package org.apereo.cas.configuration.model.support.cognito
-
Class org.apereo.cas.configuration.model.support.cognito.AmazonCognitoAuthenticationProperties
class AmazonCognitoAuthenticationProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -4748558614314096213L
-
Serialized Fields
-
clientId
String clientId
The application client id, created in Cognito without a secret key. -
mappedAttributes
Map<String,
String> mappedAttributes Map of attributes to rename after fetching from the user pool. Mapped attributes are defined using a key-value structure where CAS allows the attribute name/key to be renamed virtually to a different attribute. The key is the attribute fetched from the user pool and the value is the attribute name CAS should use for virtual renames. -
name
String name
The name of the authentication handler. -
order
int order
The order of this authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated. -
userPoolId
String userPoolId
The user pool identifiers where accounts may be located.
-
-
-
Package org.apereo.cas.configuration.model.support.consent
-
Class org.apereo.cas.configuration.model.support.consent.ConsentCoreProperties
class ConsentCoreProperties extends Object implements Serializable- serialVersionUID:
- 5211308051524438384L
-
Serialized Fields
-
active
boolean active
Whether consent functionality should be globally applicable to all applications and requests. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Signing/encryption settings. -
enabled
boolean enabled
Whether consent functionality should be enabled. -
excludedAttributes
List<String> excludedAttributes
Attributes that should always and globally be excluded from the list of consentable attributes. Such attributes are always ignored during consent rule calculations and users will not be prompted to consent to their release.. -
reminder
long reminder
Global reminder time unit, to reconfirm consent in cases no changes are detected. -
reminderTimeUnit
ChronoUnit reminderTimeUnit
Global reminder time unit of measure, to reconfirm consent in cases no changes are detected. -
webflow
WebflowAutoConfigurationProperties webflow
The webflow consent configuration.
-
-
Class org.apereo.cas.configuration.model.support.consent.ConsentProperties
class ConsentProperties extends Object implements Serializable- serialVersionUID:
- 5201308051524438384L
-
Serialized Fields
-
activationStrategyGroovyScript
SpringResourceProperties activationStrategyGroovyScript
Path to script that determines the activation rules for consent-enabled transactions. -
core
ConsentCoreProperties core
Consent core settings. -
dynamoDb
DynamoDbConsentProperties dynamoDb
Keep consent decisions stored via a DynamoDb database resource. -
groovy
GroovyConsentProperties groovy
Keep consent decisions stored via a Groovy resource. -
jpa
JpaConsentProperties jpa
Keep consent decisions stored via JDBC resources. -
json
JsonConsentProperties json
Keep consent decisions stored via a static JSON resource. -
ldap
LdapConsentProperties ldap
Keep consent decisions stored via LDAP user records. -
mongo
MongoDbConsentProperties mongo
Keep consent decisions stored via a MongoDb database resource. -
redis
RedisConsentProperties redis
Keep consent decisions stored via Redis. -
rest
RestfulConsentProperties rest
Keep consent decisions stored via REST.
-
-
Class org.apereo.cas.configuration.model.support.consent.DynamoDbConsentProperties
class DynamoDbConsentProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- -9012260892496773705L
-
Serialized Fields
-
tableName
String tableName
The table name used and created by CAS to hold consent records in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.support.consent.GroovyConsentProperties
class GroovyConsentProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 7079027843747126083L
-
Class org.apereo.cas.configuration.model.support.consent.JpaConsentProperties
class JpaConsentProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 1646689616653363554L
-
Class org.apereo.cas.configuration.model.support.consent.JsonConsentProperties
class JsonConsentProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 7079027843747126083L
-
Class org.apereo.cas.configuration.model.support.consent.LdapConsentProperties
class LdapConsentProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
consentAttributeName
String consentAttributeName
Name of LDAP attribute that holds consent decisions as JSON. -
type
AbstractLdapProperties.LdapType type
Type of LDAP directory.
-
-
Class org.apereo.cas.configuration.model.support.consent.MongoDbConsentProperties
class MongoDbConsentProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -1918436901491275547L
-
Class org.apereo.cas.configuration.model.support.consent.RedisConsentProperties
class RedisConsentProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -1347683393318585262L
-
Class org.apereo.cas.configuration.model.support.consent.RestfulConsentProperties
class RestfulConsentProperties extends BaseRestEndpointProperties implements Serializable- serialVersionUID:
- -6909617495470495341L
-
-
Package org.apereo.cas.configuration.model.support.cookie
-
Class org.apereo.cas.configuration.model.support.cookie.CookieProperties
class CookieProperties extends Object implements Serializable- serialVersionUID:
- 6804770601645126835L
-
Serialized Fields
-
domain
String domain
Cookie domain. Specifies the domain within which this cookie should be presented. The form of the domain name is specified by RFC 2965. A domain name begins with a dot (.foo.com) and means that the cookie is visible to servers in a specified Domain Name System (DNS) zone (for example, www.foo.com, but not a.b.foo.com). By default, cookies are only returned to the server that sent them. -
httpOnly
boolean httpOnly
true if this cookie contains the HttpOnly attribute. This means that the cookie should not be accessible to scripting engines, like javascript. -
maxAge
int maxAge
The maximum age of the cookie, specified in seconds. By default,-1
indicating the cookie will persist until browser shutdown. A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age. A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits. A zero value causes the cookie to be deleted. -
name
String name
Cookie name. Constructs a cookie with a specified name and value. The name must conform to RFC 2965. That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a$
character. The cookie's name cannot be changed after creation. By default, cookies are created according to the RFC 2965 cookie specification. Cookie names are automatically calculated assigned by CAS at runtime, and there is usually no need to customize the name or assign it a different value unless a special use case warrants the change. -
path
String path
Cookie path. Specifies a path for the cookie to which the client should return the cookie. The cookie is visible to all the pages in the directory you specify, and all the pages in that directory's subdirectories. A cookie's path must include the servlet that set the cookie, for example, /catalog, which makes the cookie visible to all directories on the server under /catalog. Consult RFC 2965 (available on the Internet) for more information on setting path names for cookies. -
sameSitePolicy
String sameSitePolicy
If a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of settingsSameSite=Lax
orSameSite=Strict
orSameSite=None
to prevent external access.To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting,
Accepted values are:SameSite=None
, to designate cookies for cross-site access. When theSameSite=None
attribute is present, an additionalSecure
attribute is used so cross-site cookies can only be accessed over HTTPS connections.Lax
Strict
None
Off
: Disable the generation of the SameSite cookie attribute altogether.- Path to a Groovy script that is able to generate the SameSite cookie attribute dynamically.
- Fully qualified name of a class that implements
org.apereo.cas.web.cookie.CookieSameSitePolicy
-
secure
boolean secure
True if sending this cookie should be restricted to a secure protocol, or false if the it can be sent using any protocol.
-
-
Class org.apereo.cas.configuration.model.support.cookie.PinnableCookieProperties
class PinnableCookieProperties extends CookieProperties implements Serializable- serialVersionUID:
- -7643955577897341936L
-
Serialized Fields
-
allowedIpAddressesPattern
String allowedIpAddressesPattern
A regular expression pattern that indicates the set of allowed IP addresses, whenPinnableCookieProperties.isPinToSession()
is configured. In the event that there is a mismatch between the cookie IP address and the current request-provided IP address (i.e. network switches, VPN, etc), the cookie can still be considered valid if the new IP address matches the pattern specified here. -
geoLocateClientSession
boolean geoLocateClientSession
When set totrue
and assumingPinnableCookieProperties.isPinToSession()
is alsotrue
, client sessions (using the client IP address) are geo-located using a geolocation service when/if configured. The resulting session is either pinned to the client geolocation, or the default client address. -
pinToSession
boolean pinToSession
When generating cookie values, determine whether the value should be compounded and signed with the properties of the current session, such as IP address, user-agent, etc.
-
-
Class org.apereo.cas.configuration.model.support.cookie.TicketGrantingCookieProperties
class TicketGrantingCookieProperties extends PinnableCookieProperties implements Serializable- serialVersionUID:
- 7392972818105536350L
-
Serialized Fields
-
autoConfigureCookiePath
boolean autoConfigureCookiePath
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that determine how the cookie should be signed and encrypted. -
rememberMeMaxAge
String rememberMeMaxAge
If remember-me is enabled, specifies the maximum age of the cookie.
-
-
Class org.apereo.cas.configuration.model.support.cookie.WarningCookieProperties
class WarningCookieProperties extends CookieProperties implements Serializable- serialVersionUID:
- -266090748600049578L
-
Serialized Fields
-
autoConfigureCookiePath
boolean autoConfigureCookiePath
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured.
-
-
-
Package org.apereo.cas.configuration.model.support.cosmosdb
-
Class org.apereo.cas.configuration.model.support.cosmosdb.BaseCosmosDbProperties
class BaseCosmosDbProperties extends Object implements Serializable- serialVersionUID:
- 2528153816791719898L
-
Serialized Fields
-
allowTelemetry
boolean allowTelemetry
Whether telemetry should be enabled by default. Sets the flag to enable client telemetry which will periodically collect database operations aggregation statistics, system information like cpu/memory and send it to cosmos monitoring service, which will be helpful during debugging. -
consistencyLevel
String consistencyLevel
Document Db consistency level. Azure Cosmos DB is designed from the ground up with global distribution in mind for every data model. It is designed to offer predictable low latency guarantees, a 99.99% availability SLA, and multiple well-defined relaxed consistency models. Currently, Azure Cosmos DB provides five consistency levels: strong, bounded-staleness, session, consistent prefix, and eventual. Besides strong and eventual consistency models commonly offered by distributed databases, Azure Cosmos DB offers three more carefully codified and operationalized consistency models, and has validated their usefulness against real world use cases. These are the bounded staleness, session, and consistent prefix consistency levels. Collectively these five consistency levels enable you to make well-reasoned trade-offs between consistency, availability, and latency. Accepted values are:STRONG
: LinearizabilitySESSION
: Consistent Prefix. Monotonic reads, monotonic writes, read-your-writes, write-follows-readsEVENTUAL
: Out of order readsBOUNDED_STALENESS
: Consistent Prefix. Reads lag behind writes by k prefixes or t intervalCONSISTENT_PREFIX
: Updates returned are some prefix of all the updates, with no gaps
-
database
String database
Database name. -
databaseThroughput
int databaseThroughput
The max auto scale throughput. -
endpointDiscoveryEnabled
boolean endpointDiscoveryEnabled
Sets the flag to enable endpoint discovery for geo-replicated database accounts. When EnableEndpointDiscovery is true, the SDK will automatically discover the current write and read regions to ensure requests are sent to the correct region based on the capability of the region and the user's preference. -
indexingMode
String indexingMode
Specifies the supported indexing modes in the Azure Cosmos DB database service. Accepted values are:CONSISTENT
: Index is updated synchronously with a create or update operation. With consistent indexing, query behavior is the same as the default consistency level for the collection. The index is always kept up to date with the data.LAZY
: Index is updated asynchronously with respect to a create or update operation. With lazy indexing, queries are eventually consistent. The index is updated when the collection is idle.NONE
: No index is provided. Setting IndexingMode to "None" drops the index. Use this if you don't want to maintain the index for a document collection, to save the storage cost or improve the write throughput. Your queries will degenerate to scans of the entire collection.
-
key
String key
Document Db master key. -
maxRetryAttemptsOnThrottledRequests
int maxRetryAttemptsOnThrottledRequests
Sets the maximum number of retries in the case where the request fails because the service has applied rate limiting on the client.When a client is sending requests faster than the allowed rate, the service will return HttpStatusCode 429 (Too Many Request) to throttle the client. The current implementation in the SDK will then wait for the amount of time the service tells it to wait and retry after the time has elapsed.
The default value is 4. This means in the case where the request is throttled, the same request will be issued for a maximum of 5 times to the server before an error is returned to the application.
-
maxRetryWaitTime
String maxRetryWaitTime
Sets the maximum retry time in seconds. When a request fails due to a throttle error, the service sends back a response that contains a value indicating the client should not retry before the time period has elapsed (Retry-After). The MaxRetryWaitTime flag allows the application to set a maximum wait time for all retry attempts. If the cumulative wait time exceeds the MaxRetryWaitTime, the SDK will stop retrying and return the error to the application. -
preferredRegions
List<String> preferredRegions
Sets the preferred regions for geo-replicated database accounts. For example, "East US" as the preferred region. When EnableEndpointDiscovery is true and PreferredRegions is non-empty, the SDK will prefer to use the regions in the container in the order they are specified to perform operations. -
uri
String uri
Document Db host address (i.e. https://localhost:8081). -
userAgentSuffix
String userAgentSuffix
Sets the value of the user-agent suffix.
-
-
Class org.apereo.cas.configuration.model.support.cosmosdb.CosmosDbServiceRegistryProperties
class CosmosDbServiceRegistryProperties extends BaseCosmosDbProperties implements Serializable- serialVersionUID:
- 6194689836396653458L
-
Serialized Fields
-
container
String container
Collection to store CAS service definitions. -
createContainer
boolean createContainer
Whether collections should be created on startup.
-
-
Class org.apereo.cas.configuration.model.support.cosmosdb.CosmosDbTicketRegistryProperties
class CosmosDbTicketRegistryProperties extends BaseCosmosDbProperties implements Serializable- serialVersionUID:
- 3528153816791719898L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry.
-
-
-
Package org.apereo.cas.configuration.model.support.custom
-
Class org.apereo.cas.configuration.model.support.custom.CasCustomProperties
class CasCustomProperties extends Object implements Serializable- serialVersionUID:
- 5354004353286722083L
-
Serialized Fields
-
properties
Map<String,
String> properties Collection of custom settings that can be utilized for a local deployment. The settings should be available to CAS views and webflows for altering UI and/or introducing custom behavior to any extended customized component without introducing a new property namespace. This is defined as a map, where the key should be the setting name and the value should be the setting value.
-
-
-
Package org.apereo.cas.configuration.model.support.dynamodb
-
Class org.apereo.cas.configuration.model.support.dynamodb.AbstractDynamoDbProperties
class AbstractDynamoDbProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -8349917272283787550L
-
Serialized Fields
-
billingMode
AbstractDynamoDbProperties.BillingMode billingMode
Billing mode specifies how you are charged for read and write throughput and how you manage capacity. -
dax
DynamoDbDaxProperties dax
Amazon DynamoDB Accelerator (DAX) is a managed, highly available, in-memory cache for Amazon DynamoDB. -
dropTablesOnStartup
boolean dropTablesOnStartup
Flag that indicates whether to drop tables on start up. -
localInstance
boolean localInstance
Indicates that the database instance is local to the deployment that does not require or use any credentials or other configuration other than host and region. This is mostly used during development and testing. -
preventTableCreationOnStartup
boolean preventTableCreationOnStartup
Flag that indicates whether to prevent CAS from creating tables. -
readCapacity
long readCapacity
Read capacity. -
timeOffset
int timeOffset
Time offset. -
writeCapacity
long writeCapacity
Write capacity.
-
-
Class org.apereo.cas.configuration.model.support.dynamodb.AuditDynamoDbProperties
class AuditDynamoDbProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- 102540148774854955L
-
Serialized Fields
-
asynchronous
boolean asynchronous
Make storage requests asynchronously. -
tableName
String tableName
The table name used and created by CAS to hold audit logs in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.support.dynamodb.DynamoDbDaxProperties
class DynamoDbDaxProperties extends Object implements Serializable- serialVersionUID:
- 222540148774854955L
-
Serialized Fields
-
connectionTtl
String connectionTtl
How long should connections be kept alive, calculated in milliseconds. -
connectTimeout
String connectTimeout
Connection timeout, calculated in milliseconds. -
idleTimeout
String idleTimeout
Connection idle timeout, calculated in milliseconds. -
maxConcurrency
int maxConcurrency
Determines the maximum number of concurrent requests that can be made to the DAX cluster. -
readRetries
int readRetries
Number of read retry attempts. -
requestTimeout
String requestTimeout
Request execution timeout, calculated in milliseconds. -
url
String url
Cluster url. For example,dax://my-cluster.l6fzcv.dax-clusters.us-east-1.amazonaws.com
. -
writeRetries
int writeRetries
Number of write retry attempts.
-
-
Class org.apereo.cas.configuration.model.support.dynamodb.DynamoDbServiceRegistryProperties
class DynamoDbServiceRegistryProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- 809653348774854955L
-
Serialized Fields
-
tableName
String tableName
The table name used and created by CAS to hold service definitions in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.support.dynamodb.DynamoDbTicketRegistryProperties
class DynamoDbTicketRegistryProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- 699497009058965681L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
proxyGrantingTicketsTableName
String proxyGrantingTicketsTableName
The table name used and created by CAS to hold proxy ticket granting tickets in DynamoDb. -
proxyTicketsTableName
String proxyTicketsTableName
The table name used and created by CAS to hold proxy tickets in DynamoDb. -
serviceTicketsTableName
String serviceTicketsTableName
The table name used and created by CAS to hold service tickets in DynamoDb. -
ticketGrantingTicketsTableName
String ticketGrantingTicketsTableName
The table name used and created by CAS to hold ticket granting tickets in DynamoDb. -
transientSessionTicketsTableName
String transientSessionTicketsTableName
The table name used and created by CAS to hold transient session ticket tickets in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.support.dynamodb.DynamoDbTrustedDevicesMultifactorProperties
class DynamoDbTrustedDevicesMultifactorProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- 102540148774854955L
-
Serialized Fields
-
tableName
String tableName
The table name used and created by CAS to hold mfa trust definitions in DynamoDb.
-
-
-
Package org.apereo.cas.configuration.model.support.email
-
Class org.apereo.cas.configuration.model.support.email.EmailProperties
class EmailProperties extends Object implements Serializable- serialVersionUID:
- 7367120636536230761L
-
Serialized Fields
-
attributeName
List<String> attributeName
Principal attribute names that indicates the destination email address for this message. The attributes must already be resolved and available to the CAS principal. When multiple attributes are specified, each attribute is then examined against the available CAS principal to locate the email address value, which may result in multiple emails being sent. -
bcc
List<String> bcc
Email BCC address, if any. -
cc
List<String> cc
Email CC address, if any. -
from
String from
Email from address. -
html
boolean html
Indicate whether the message body should be evaluated as HTML text. -
priority
int priority
Set the priority (X-Priority
header) of the message. Values:1 (Highest)
,2 (High)
,3 (Normal)
,4 (Low)
,5 (Lowest)
. -
replyTo
String replyTo
Email Reply-To address, if any. -
subject
String subject
Email subject line.The subject can either be defined verbaitm, or it may point to a message key in the language bundle using the syntax
#{subject-language-key}
. This key should point to a valid message defined in the appropriate language bundle that is then picked up via the active locale. In case where the language code cannot resolve the real subject, a default subject value would be used. -
text
String text
Email message body. Could be plain text or a reference to an external file that would serve as a template.If specified as a path to an external file with an extension
.gtemplate
, then the email message body would be processed using the Groovy template engine. The template engine uses JSP style <% %> script and <%= %> expression syntax or GString style expressions. The variableout
is bound to the writer that the template is being written to.If using plain text, the contents are processed for string subtitution candidates using named variables. For example, you may refer to an expected url variable in the email text via
${url}
, or use${token}
to locate the token variable. In certain cases, additional parameters are passed to the email body processor that might include authentication and/or principal attributes, the available locale, client http information, etc. -
validateAddresses
boolean validateAddresses
Set whether to validate all addresses which get passed to this helper.
-
-
-
Package org.apereo.cas.configuration.model.support.firebase
-
Class org.apereo.cas.configuration.model.support.firebase.GoogleFirebaseCloudMessagingProperties
class GoogleFirebaseCloudMessagingProperties extends Object implements Serializable- serialVersionUID:
- -5679682641899738092L
-
Serialized Fields
-
databaseUrl
String databaseUrl
Firebase database url. -
registrationTokenAttributeName
String registrationTokenAttributeName
The principal attribute name that contains the registration token for the user. Registration tokens that are provided by clients during the handshake process should be stored on the server, and made available to CAS as a principal attribute. -
scopes
List<String> scopes
Required scopes to properly communicate with the firebase cloud. -
serviceAccountKey
SpringResourceProperties serviceAccountKey
Path to the service account key json file. This can optional if you set the environment variableGOOGLE_APPLICATION_CREDENTIALS
to the file path of the JSON file that contains your service account key. If this is undefined, the property value will be used instead.
-
-
-
Package org.apereo.cas.configuration.model.support.gcp
-
Class org.apereo.cas.configuration.model.support.gcp.GoogleCloudFirestoreServiceRegistryProperties
class GoogleCloudFirestoreServiceRegistryProperties extends Object implements Serializable- serialVersionUID:
- 5641690796988322918L
-
Serialized Fields
-
collection
String collection
Database collection name to store and fetch registered service definitions.
-
-
Class org.apereo.cas.configuration.model.support.gcp.GoogleCloudFirestoreTicketRegistryProperties
class GoogleCloudFirestoreTicketRegistryProperties extends Object implements Serializable- serialVersionUID:
- 8243690796900322918L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry.
-
-
-
Package org.apereo.cas.configuration.model.support.generic
-
Class org.apereo.cas.configuration.model.support.generic.AcceptAuthenticationProperties
class AcceptAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 2448007503183227617L
-
Serialized Fields
-
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
enabled
boolean enabled
Indicates whether the authentication strategy is enabled. The strategy may also be disabled explicitly if theAcceptAuthenticationProperties.users
is left blank. -
name
String name
Name of the authentication handler. -
order
int order
Order of the authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for the authentication handler. -
passwordPolicy
PasswordPolicyProperties passwordPolicy
Password policy settings. -
principalTransformation
PrincipalTransformationProperties principalTransformation
This is principal transformation properties. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated. -
users
String users
Accepted users for authentication, in the syntax ofuid::password
.
-
-
Class org.apereo.cas.configuration.model.support.generic.FileAuthenticationProperties
class FileAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 4031366217090049241L
-
Serialized Fields
-
name
String name
Authentication handler name used to verify credentials in the file. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings for this authentication. -
separator
String separator
Separator character that distinguishes between usernames and passwords in the file.
-
-
Class org.apereo.cas.configuration.model.support.generic.GroovyAuthenticationProperties
class GroovyAuthenticationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 2179027841236526083L
-
Serialized Fields
-
name
String name
Authentication handler name used to verify credentials in the file. -
order
Integer order
Order of the authentication handler in the chain. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.generic.JsonResourceAuthenticationProperties
class JsonResourceAuthenticationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 1079027841236526083L
-
Serialized Fields
-
name
String name
Authentication handler name used to verify credentials in the file. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder properties. -
passwordPolicy
PasswordPolicyProperties passwordPolicy
Password policy settings. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings for this authentication. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.generic.RejectAuthenticationProperties
class RejectAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -3228601837221178711L
-
Serialized Fields
-
name
String name
Name of the authentication handler. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
This is principal transformation properties. -
users
String users
Comma-separated list of users to reject for authentication.
-
-
Class org.apereo.cas.configuration.model.support.generic.RemoteAuthenticationProperties
class RemoteAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 573409035023089696L
-
Serialized Fields
-
cookie
RemoteAuthenticationProperties.RemoteCookie cookie
Remote cookie authentication settings. -
ipAddressRange
String ipAddressRange
The authorized network address to allow for authentication. This approach allows for transparent authentication achieved within a large corporate network without the need to manage certificates, etc. -
name
String name
The name of the authentication handler. -
order
Integer order
Order of the authentication handler in the chain.
-
-
Class org.apereo.cas.configuration.model.support.generic.RemoteAuthenticationProperties.RemoteCookie
class RemoteCookie extends Object implements Serializable- serialVersionUID:
- 1727479242798310605L
-
Serialized Fields
-
cookieName
String cookieName
The name of the remote cookie that is passed onto CAS, usually set by a trusted third party. The cookie, when verified and decrypted, must indicate the trusted remote principal id that CAS should use for authentication. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that determine how the cookie should be signed and encrypted.
-
-
-
Package org.apereo.cas.configuration.model.support.geo
-
Class org.apereo.cas.configuration.model.support.geo.BaseGeoLocationProperties
class BaseGeoLocationProperties extends Object implements Serializable- serialVersionUID:
- 4548572400079087989L
-
Class org.apereo.cas.configuration.model.support.geo.GeoLocationProperties
class GeoLocationProperties extends Object implements Serializable- serialVersionUID:
- 7529478582792969209L
-
Serialized Fields
-
azure
AzureMapsProperties azure
Azure Maps GeoLocation settings. -
googleMaps
GoogleMapsProperties googleMaps
Google Maps settings. -
groovy
SpringResourceProperties groovy
Groovy settings. -
ipGeoLocation
IPGeoLocationProperties ipGeoLocation
IP GeoLocation settings. -
maxmind
MaxmindProperties maxmind
MaxMind settings.
-
-
-
Package org.apereo.cas.configuration.model.support.geo.azure
-
Class org.apereo.cas.configuration.model.support.geo.azure.AzureMapsProperties
class AzureMapsProperties extends BaseGeoLocationProperties implements Serializable- serialVersionUID:
- 1665553818744933462L
-
-
Package org.apereo.cas.configuration.model.support.geo.googlemaps
-
Class org.apereo.cas.configuration.model.support.geo.googlemaps.GoogleMapsProperties
class GoogleMapsProperties extends BaseGeoLocationProperties implements Serializable- serialVersionUID:
- 4661113818711911462L
-
Serialized Fields
-
apiKey
String apiKey
Authenticate into google maps via an API key. -
clientId
String clientId
Authenticate into google maps via a client id. -
clientSecret
String clientSecret
Authenticate into google maps via a client secret. -
connectTimeout
String connectTimeout
The connection timeout when reaching out to google maps. -
googleAppsEngine
boolean googleAppsEngine
When true, a strategy for handling URL requests using Google App Engine's URL Fetch API.
-
-
-
Package org.apereo.cas.configuration.model.support.geo.ip
-
Class org.apereo.cas.configuration.model.support.geo.ip.IPGeoLocationProperties
class IPGeoLocationProperties extends BaseGeoLocationProperties implements Serializable- serialVersionUID:
- 1883029275219817797L
-
Serialized Fields
-
apiKey
String apiKey
API key required for this integration.
-
-
-
Package org.apereo.cas.configuration.model.support.geo.maxmind
-
Class org.apereo.cas.configuration.model.support.geo.maxmind.MaxmindProperties
class MaxmindProperties extends BaseGeoLocationProperties implements Serializable- serialVersionUID:
- 7883029275219817797L
-
Serialized Fields
-
accountId
int accountId
Geolocating an IP address using Maxmind web services will need your MaxMind account ID and license key. A zero or negative value will deactivate the web services integration. -
licenseKey
String licenseKey
Geolocating an IP address using Maxmind web services will need your MaxMind account ID and license key. A blank, undefined value will deactivate the web services integration.
-
-
-
Package org.apereo.cas.configuration.model.support.git.services
-
Class org.apereo.cas.configuration.model.support.git.services.BaseGitProperties
class BaseGitProperties extends Object implements Serializable- serialVersionUID:
- 4194689836396653458L
-
Serialized Fields
-
activeBranch
String activeBranch
The branch to checkout and activate, defaults tomaster
. -
branchesToClone
String branchesToClone
If the repository is to be cloned, this will allow a select list of branches to be fetched. List the branch names separated by commas or use*
to clone all branches. Defaults to all branches. -
clearExistingIdentities
boolean clearExistingIdentities
When establishing an ssh session, determine if default identities loaded on the machine should be excluded/removed and identity should only be limited to those loaded from given keys. -
cloneDirectory
SpringResourceProperties cloneDirectory
Directory into which the repository would be cloned. -
httpClientType
BaseGitProperties.HttpClientTypes httpClientType
Implementation of HTTP client to use when doing git operations via http/https. The jgit library sets the connection factory statically (globally) so this property should be set to the same value for all git repositories (services, saml, etc). Not doing so might result in one connection factory being used for clone and another for subsequent fetches. -
password
String password
Password used to access or push to the repository. -
privateKey
SpringResourceProperties privateKey
Path to the SSH private key identity. Must be a resource that can resolve to an absolute file on disk due to Jsch library needing String path. Classpath resource would work if file on disk rather than inside archive. -
privateKeyPassphrase
String privateKeyPassphrase
Password for the SSH private key. -
pushChanges
boolean pushChanges
Decide whether changes should be pushed back into the remote repository. -
rebase
boolean rebase
Whether to rebase on pulls. -
repositoryUrl
String repositoryUrl
The address of the git repository. Could be a URL or a file-system path. -
signCommits
boolean signCommits
Whether commits should be signed. -
sshSessionPassword
String sshSessionPassword
As with using SSH with public keys, an SSH session withssh://[email protected]/repo.git
must be specified to use password-secured SSH connections. -
strictHostKeyChecking
boolean strictHostKeyChecking
Whether on not to turn on strict host key checking. true will be "yes", false will be "no", "ask" not supported. -
timeout
String timeout
Timeout for git operations such as push and pull in seconds. -
username
String username
Username used to access or push to the repository.
-
-
Class org.apereo.cas.configuration.model.support.git.services.GitServiceRegistryProperties
class GitServiceRegistryProperties extends BaseGitProperties implements Serializable- serialVersionUID:
- 4194689836396653458L
-
Serialized Fields
-
groupByType
boolean groupByType
Determine whether service definitions in the git repository should be located/stored in groups and separate folder structures based on the service type.- See Also:
-
rootDirectory
String rootDirectory
Root directory in the git repository structure to track service definition files. This might be most useful if the git repository is tasked with other types of files and configurations and allowing a separate root directory for service definitions provide a clean separation between services files and everything else. This setting may work in concert withGitServiceRegistryProperties.isGroupByType()
. If left blank, the root folder of the git repository itself is used as the root directory for service definitions.
-
-
-
Package org.apereo.cas.configuration.model.support.gua
-
Class org.apereo.cas.configuration.model.support.gua.GraphicalUserAuthenticationProperties
class GraphicalUserAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 7527953699378415460L
-
Serialized Fields
-
ldap
LdapGraphicalUserAuthenticationProperties ldap
Locate GUA settings and images from LDAP. -
simple
Map<String,
String> simple Locate GUA settings and images from a static image per user. This is treated as aMap
where the key is the user id and the value should be the graphical resource.
-
-
Class org.apereo.cas.configuration.model.support.gua.LdapGraphicalUserAuthenticationProperties
class LdapGraphicalUserAuthenticationProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 4666838063728336692L
-
Serialized Fields
-
imageAttribute
String imageAttribute
Entry attribute that holds the user image.
-
-
-
Package org.apereo.cas.configuration.model.support.hazelcast
-
Class org.apereo.cas.configuration.model.support.hazelcast.BaseHazelcastProperties
class BaseHazelcastProperties extends Object implements Serializable- serialVersionUID:
- 4204884717547468480L
-
Serialized Fields
-
cluster
HazelcastClusterProperties cluster
Hazelcast cluster settings if CAS is able to auto-create caches. -
core
HazelcastCoreProperties core
Core configuration settings for hazelcast.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastClusterMulticastProperties
class HazelcastClusterMulticastProperties extends Object implements Serializable- serialVersionUID:
- 1827784607045775145L
-
Serialized Fields
-
enabled
boolean enabled
Enables a multicast configuration using a group address and port. Contains the configuration for the multicast discovery mechanism. With the multicast discovery mechanism Hazelcast allows Hazelcast members to find each other using multicast. So Hazelcast members do not need to know concrete addresses of members, they just multicast to everyone listening. It depends on your environment if multicast is possible or allowed; otherwise you need to have a look at the tcp/ip cluster -
group
String group
The multicast group address used for discovery. With the multicast auto-discovery mechanism, Hazelcast allows cluster members to find each other using multicast communication. The cluster members do not need to know the concrete addresses of the other members, as they just multicast to all the other members for listening. Whether multicast is possible or allowed depends on your environment. -
port
int port
The multicast port used for discovery. -
timeout
int timeout
specifies the time in seconds that a member should wait for a valid multicast response from another member running in the network before declaring itself the leader member (the first member joined to the cluster) and creating its own cluster. This only applies to the startup of members where no leader has been assigned yet. If you specify a high value, such as 60 seconds, it means that until a leader is selected, each member will wait 60 seconds before moving on. Be careful when providing a high value. Also, be careful not to set the value too low, or the members might give up too early and create their own cluster. -
timeToLive
int timeToLive
Gets the time to live for the multicast package in seconds. This is the default time-to-live for multicast packets sent out on the socket -
trustedInterfaces
String trustedInterfaces
Multicast trusted interfaces for discovery. With the multicast auto-discovery mechanism, Hazelcast allows cluster members to find each other using multicast communication. The cluster members do not need to know the concrete addresses of the other members, as they just multicast to all the other members for listening. Whether multicast is possible or allowed depends on your environment.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastClusterProperties
class HazelcastClusterProperties extends Object implements Serializable- serialVersionUID:
- 1817784607045775145L
-
Serialized Fields
-
core
HazelcastCoreClusterProperties core
Hazelcast core cluster settings. -
discovery
HazelcastDiscoveryProperties discovery
Describe discovery strategies for Hazelcast. -
network
HazelcastNetworkClusterProperties network
Hazelcast network cluster settings. -
wanReplication
HazelcastWANReplicationProperties wanReplication
WAN replication settings.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastCoreClusterProperties
class HazelcastCoreClusterProperties extends Object implements Serializable- serialVersionUID:
- -8374968308106013185L
-
Serialized Fields
-
asyncBackupCount
int asyncBackupCount
Hazelcast supports both synchronous and asynchronous backups. By default, backup operations are synchronous. In this case, backup operations block operations until backups are successfully copied to backup members (or deleted from backup members in case of remove) and acknowledgements are received. Therefore, backups are updated before a put operation is completed, provided that the cluster is stable. Asynchronous backups, on the other hand, do not block operations. They are fire and forget and do not require acknowledgements; the backup operations are performed at some point in time. -
asyncFillup
boolean asyncFillup
Used when replication is turned on withHazelcastCoreClusterProperties.isReplicated()
.If a new member joins the cluster, there are two ways you can handle the initial provisioning that is executed to replicate all existing values to the new member. Each involves how you configure the async fill up.
- First, you can configure async fill up to true, which does not block reads while the fill up operation is underway. That way, you have immediate access on the new member, but it will take time until all the values are eventually accessible. Not yet replicated values are returned as non-existing (null).
- Second, you can configure for a synchronous initial fill up (by configuring the async fill up to false), which blocks every read or write access to the map until the fill up operation is finished. Use this with caution since it might block your application from operating.
-
backupCount
int backupCount
To provide data safety, Hazelcast allows you to specify the number of backup copies you want to have. That way, data on a cluster member will be copied onto other member(s). To create synchronous backups, select the number of backup copies. When this count is 1, a map entry will have its backup on one other member in the cluster. If you set it to 2, then a map entry will have its backup on two other members. You can set it to 0 if you do not want your entries to be backed up, e.g., if performance is more important than backing up. The maximum value for the backup count is 6. Sync backup operations have a blocking cost which may lead to latency issues. -
cpMemberCount
int cpMemberCount
CP Subsystem is a component of a Hazelcast cluster that builds a strongly consistent layer for a set of distributed data structures. Its data structures are CP with respect to the CAP principle, i.e., they always maintain linearizability and prefer consistency over availability during network partitions. Besides network partitions, CP Subsystem withstands server and client failures. All members of a Hazelcast cluster do not necessarily take part in CP Subsystem. The number of Hazelcast members that take part in CP Subsystem is specified here. CP Subsystem must have at least 3 CP members. -
evictionPolicy
String evictionPolicy
Hazelcast supports policy-based eviction for distributed maps. Currently supported policies are LRU (Least Recently Used) and LFU (Least Frequently Used) and NONE. See this for more info. -
instanceName
String instanceName
The instance name. -
loggingType
String loggingType
Hazelcast has a flexible logging configuration and doesn't depend on any logging framework except JDK logging. It has in-built adaptors for a number of logging frameworks and also supports custom loggers by providing logging interfaces. To use built-in adaptors you should set this setting to one of predefined types below.jdk
: JDK logginglog4j
: Log4jslf4j
: Slf4jnone
: Disable logging
-
mapMergePolicy
String mapMergePolicy
Define how data items in Hazelcast maps are merged together from source to destination. By default, merges map entries from source to destination if they don't exist in the destination map. Accepted values are:PUT_IF_ABSENT
: Merges data structure entries from source to destination if they don't exist in the destination data structure.HIGHER_HITS
: * Merges data structure entries from source to destination data structure if the source entry has more hits than the destination one.DISCARD
: Merges only entries from the destination data structure and discards all entries from the source data structure.PASS_THROUGH
: Merges data structure entries from source to destination directly unless the merging entry is nullEXPIRATION_TIME
: Merges data structure entries from source to destination data structure if the source entry will expire later than the destination entry. This policy can only be used if the clocks of the nodes are in sync.LATEST_UPDATE
: Merges data structure entries from source to destination data structure if the source entry was updated more frequently than the destination entry. This policy can only be used if the clocks of the nodes are in sync.LATEST_ACCESS
: Merges data structure entries from source to destination data structure if the source entry has been accessed more recently than the destination entry. This policy can only be used if the clocks of the nodes are in sync.
-
maxNoHeartbeatSeconds
int maxNoHeartbeatSeconds
Max timeout of heartbeat in seconds for a node to assume it is dead. -
maxSize
int maxSize
Sets the maximum size of the map. -
maxSizePolicy
String maxSizePolicy
FREE_HEAP_PERCENTAGE
: Policy based on minimum free JVM heap memory percentage per JVM.FREE_HEAP_SIZE
: Policy based on minimum free JVM heap memory in megabytes per JVM.FREE_NATIVE_MEMORY_PERCENTAGE
: Policy based on minimum free native memory percentage per Hazelcast instance.FREE_NATIVE_MEMORY_SIZE
: Policy based on minimum free native memory in megabytes per Hazelcast instance.PER_NODE
: Policy based on maximum number of entries stored per data structure (map, cache etc) on each Hazelcast instance.PER_PARTITION
: Policy based on maximum number of entries stored per data structure (map, cache etc) on each partition.USED_HEAP_PERCENTAGE
: Policy based on maximum used JVM heap memory percentage per data structure (map, cache etc) on each Hazelcast instance .USED_HEAP_SIZE
: Policy based on maximum used JVM heap memory in megabytes per data structure (map, cache etc) on each Hazelcast instance.USED_NATIVE_MEMORY_PERCENTAGE
: Policy based on maximum used native memory percentage per data structure (map, cache etc) on each Hazelcast instance.USED_NATIVE_MEMORY_SIZE
: Policy based on maximum used native memory in megabytes per data structure (map, cache etc) on each Hazelcast instance .
-
partitionMemberGroupType
String partitionMemberGroupType
WithPartitionGroupConfig
, you can control how primary and backup partitions are mapped to physical Members. Hazelcast will always place partitions on different partition groups so as to provide redundancy. Accepted value are:PER_MEMBER, HOST_AWARE, CUSTOM, ZONE_AWARE, SPI
. In all cases a partition will never be created on the same group. If there are more partitions defined than there are partition groups, then only those partitions, up to the number of partition groups, will be created. For example, if you define 2 backups, then with the primary, that makes 3. If you have only two partition groups only two will be created.- PER_MEMBER Partition Groups}: This is the default partition scheme and is used if no other scheme is defined. Each Member is in a group of its own.
- HOST_AWARE Partition Groups}: In this scheme, a group corresponds to a host, based on its IP address. Partitions will not be written to any other members on the same host. This scheme provides good redundancy when multiple instances are being run on the same host.
- CUSTOM Partition Groups}: In this scheme, IP addresses, or IP address ranges, are allocated to groups. Partitions are not written to the same group. This is very useful for ensuring partitions are written to different racks or even availability zones.
- ZONE_AWARE Partition Groups}: In this scheme, groups are allocated according to the metadata provided by Discovery SPI Partitions are not written to the same group. This is very useful for ensuring partitions are written to availability zones or different racks without providing the IP addresses to the config ahead.
- SPI Partition Groups}: In this scheme, groups are allocated according to the implementation provided by Discovery SPI.
-
replicated
boolean replicated
A Replicated Map is a distributed key-value data structure where the data is replicated to all members in the cluster. It provides full replication of entries to all members for high speed access. A Replicated Map does not partition data (it does not spread data to different cluster members); instead, it replicates the data to all members. Replication leads to higher memory consumption. However, a Replicated Map has faster read and write access since the data is available on all members. Writes could take place on local/remote members in order to provide write-order, eventually being replicated to all other members.If you have a large cluster or very high occurrences of updates, the Replicated Map may not scale linearly as expected since it has to replicate update operations to all members in the cluster. Since the replication of updates is performed in an asynchronous manner, Hazelcast recommends you enable back pressure in case your system has high occurrences of updates.
Note that Replicated Map does not guarantee eventual consistency because there are some edge cases that fail to provide consistency.
Replicated Map uses the internal partition system of Hazelcast in order to serialize updates happening on the same key at the same time. This happens by sending updates of the same key to the same Hazelcast member in the cluster.
Due to the asynchronous nature of replication, a Hazelcast member could die before successfully replicating a "write" operation to other members after sending the "write completed" response to its caller during the write process. In this scenario, Hazelcast’s internal partition system promotes one of the replicas of the partition as the primary one. The new primary partition does not have the latest "write" since the dead member could not successfully replicate the update.
-
timeout
int timeout
Connection timeout in seconds for the TCP/IP config and members joining the cluster.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastCoreProperties
class HazelcastCoreProperties extends Object implements Serializable- serialVersionUID:
- 5935324429402972680L
-
Serialized Fields
-
enableCompression
boolean enableCompression
Enables compression when default java serialization is used. -
enableJet
boolean enableJet
Enable Jet configuration/service on the hazelcast instance. Hazelcast Jet is a distributed batch and stream processing system that can do stateful computations over massive amounts of data with consistent low latency. Jet service is required when executing SQL queries with the SQL service. -
enableManagementCenterScripting
boolean enableManagementCenterScripting
Enables scripting from Management Center. -
licenseKey
String licenseKey
Hazelcast enterprise license key.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastNetworkClusterProperties
class HazelcastNetworkClusterProperties extends Object implements Serializable- serialVersionUID:
- -8474968308106013185L
-
Serialized Fields
-
ipv4Enabled
boolean ipv4Enabled
IPv6 support has been switched off by default, since some platforms have issues in use of IPv6 stack. And some other platforms such as Amazon AWS have no support at all. To enable IPv6 support set this setting to false. -
localAddress
String localAddress
If this property is set, then this is the address where the server socket is bound to. -
members
List<String> members
Sets the well known members. If members is empty, calling this method will have the same effect as callingclear()
. A member can be a comma separated string, e..g10.11.12.1,10.11.12.2
which indicates multiple members are going to be added. The list of members must include ALL CAS server node, including the current node that owns this configuration. -
networkInterfaces
String networkInterfaces
You can specify which network interfaces that Hazelcast should use. Servers mostly have more than one network interface, so you may want to list the valid IPs. Range characters ('*' and '-') can be used for simplicity. For instance, 10.3.10.* refers to IPs between 10.3.10.0 and 10.3.10.255. Interface 10.3.10.4-18 refers to IPs between 10.3.10.4 and 10.3.10.18 (4 and 18 included). If network interface configuration is enabled (it is disabled by default) and if Hazelcast cannot find an matching interface, then it will print a message on the console and will not start on that node.Interfaces can be separated by a comma.
-
outboundPorts
List<String> outboundPorts
The outbound ports for the Hazelcast configuration. -
port
int port
You can specify the ports which Hazelcast will use to communicate between cluster members. The name of the parameter for this is port and its default value is 5701. By default, Hazelcast will try 100 ports to bind. Meaning that, if you set the value of port as 5701, as members are joining to the cluster, Hazelcast tries to find ports between 5701 and 5801. -
portAutoIncrement
boolean portAutoIncrement
You may also want to choose to use only one port. In that case, you can disable the auto-increment feature of port. -
publicAddress
String publicAddress
The default public address to be advertised to other cluster members and clients. -
ssl
HazelcastNetworkSslProperties ssl
You can use the SSL (Secure Sockets Layer) protocol to establish an encrypted communication across your Hazelcast cluster with key stores and trust stores. -
tcpipEnabled
boolean tcpipEnabled
Enable TCP/IP config. Contains the configuration for the Tcp/Ip join mechanism. The Tcp/Ip join mechanism relies on one or more well known members. So when a new member wants to join a cluster, it will try to connect to one of the well known members. If it is able to connect, it will now about all members in the cluster and doesn't rely on these well known members anymore.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastNetworkSslProperties
class HazelcastNetworkSslProperties extends Object implements Serializable- serialVersionUID:
- -2444780336835699053L
-
Serialized Fields
-
cipherSuites
String cipherSuites
Comma-separated list of cipher suite names allowed to be used. Its default value are all supported suites in your Java runtime. -
keyManagerAlgorithm
String keyManagerAlgorithm
Name of the algorithm based on which the authentication keys are provided. -
keystore
String keystore
Path of your keystore file. Only needed when the mutual authentication is used. -
keystorePassword
String keystorePassword
Password to access the key from your keystore file. Only needed when the mutual authentication is used. -
keyStoreType
String keyStoreType
Type of the keystore. Its default value is JKS. Another commonly used type is the PKCS12. Available keystore/truststore types depend on your Operating system and the Java runtime. Only needed when the mutual authentication is used. -
mutualAuthentication
String mutualAuthentication
Mutual authentication configuration. It’s empty by default which means the client side of connection is not authenticated. Available values are:REQUIRED
- server forces usage of a trusted client certificateOPTIONAL
- server asks for a client certificate, but it doesn't require it
-
protocol
String protocol
Name of the algorithm which is used in your TLS/SSL. For the protocol property, we recommend you to provide TLS with its version information, e.g., TLSv1.2. Note that if you write only TLS, your application chooses the TLS version according to your Java version. -
trustManagerAlgorithm
String trustManagerAlgorithm
Name of the algorithm based on which the trust managers are provided. -
trustStore
String trustStore
Path of your truststore file. The file truststore is a keystore file that contains a collection of certificates trusted by your application. -
trustStorePassword
String trustStorePassword
Password to unlock the truststore file. -
trustStoreType
String trustStoreType
Type of the truststore. Its default value is JKS. Another commonly used type is the PKCS12. Available keystore/truststore types depend on your Operating system and the Java runtime. -
validateIdentity
boolean validateIdentity
Flag which allows enabling endpoint identity validation. It means, during the TLS handshake client verifies if the server’s hostname (or IP address) matches the information in X.509 certificate (Subject Alternative Name extension).
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastTicketRegistryProperties
class HazelcastTicketRegistryProperties extends BaseHazelcastProperties implements Serializable- serialVersionUID:
- -1095208036374406772L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
pageSize
long pageSize
Page size is used by a special Predicate which helps to get a page-by-page result of a query.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastWANReplicationProperties
class HazelcastWANReplicationProperties extends Object implements Serializable- serialVersionUID:
- 1726420607045775145L
-
Serialized Fields
-
enabled
boolean enabled
Whether WAN should be enabled. -
replicationName
String replicationName
Name of this replication group. -
targets
List<HazelcastWANReplicationTargetClusterProperties> targets
List of target clusters to be used for synchronization and replication.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.HazelcastWANReplicationTargetClusterProperties
class HazelcastWANReplicationTargetClusterProperties extends Object implements Serializable- serialVersionUID:
- 1635330607045885145L
-
Serialized Fields
-
acknowledgeType
String acknowledgeType
Accepted values are:ACK_ON_RECEIPT
: ACK after WAN operation is received by the target cluster (without waiting the result of actual operation invocation).ACK_ON_OPERATION_COMPLETE
: Wait till the operation is complete on target cluster.
-
batchMaximumDelayMilliseconds
int batchMaximumDelayMilliseconds
Maximum amount of time, in milliseconds, to be waited before sending a batch of events in case batch.size is not reached. -
batchSize
int batchSize
Maximum size of events that are sent to the target cluster in a single batch. -
clusterName
String clusterName
Sets the cluster name used as an endpoint group password for authentication on the target endpoint. If there is no separate publisher ID property defined, this cluster name will also be used as a WAN publisher ID. This ID is then used for identifying the publisher. -
consistencyCheckStrategy
String consistencyCheckStrategy
Strategy for checking the consistency of data between replicas. -
endpoints
String endpoints
Comma separated list of endpoints in this replication group. IP addresses and ports of the cluster members for which the WAN replication is implemented. These endpoints are not necessarily the entire target cluster and WAN does not perform the discovery of other members in the target cluster. It only expects that these IP addresses (or at least some of them) are available. -
executorThreadCount
int executorThreadCount
The number of threads that the replication executor will have. The executor is used to send WAN events to the endpoints and ideally you want to have one thread per endpoint. If this property is omitted and you have specified the endpoints property, this will be the case. If necessary you can manually define the number of threads that the executor will use. Once the executor has been initialized there is thread affinity between the discovered endpoints and the executor threads - all events for a single endpoint will go through a single executor thread, preserving event order. It is important to determine which number of executor threads is a good value. Failure to do so can lead to performance issues - either contention on a too small number of threads or wasted threads that will not be performing any work. -
properties
Map<String,
Comparable> properties The WAN publisher properties. -
publisherClassName
String publisherClassName
Publisher class name for WAN replication. -
publisherId
String publisherId
Returns the publisher ID used for identifying the publisher. -
queueCapacity
int queueCapacity
For huge clusters or high data mutation rates, you might need to increase the replication queue size. The default queue size for replication queues is 10,000. This means, if you have heavy put/update/remove rates, you might exceed the queue size so that the oldest, not yet replicated, updates might get lost. -
queueFullBehavior
String queueFullBehavior
Accepted values are:THROW_EXCEPTION
: Instruct WAN replication implementation to throw an exception and doesn't allow further processing.DISCARD_AFTER_MUTATION
: Instruct WAN replication implementation to drop new events when WAN event queues are full.THROW_EXCEPTION_ONLY_IF_REPLICATION_ACTIVE
: Similar toTHROW_EXCEPTION
but only throws exception when WAN replication is active. * Discards the new events if WAN replication is stopped.
-
responseTimeoutMilliseconds
int responseTimeoutMilliseconds
Time, in milliseconds, to be waited for the acknowledgment of a sent WAN event to target cluster. -
snapshotEnabled
boolean snapshotEnabled
When set to true, only the latest events (based on key) are selected and sent in a batch.
-
-
-
Package org.apereo.cas.configuration.model.support.hazelcast.discovery
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastAwsDiscoveryProperties
class HazelcastAwsDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- -8281247687171101766L
-
Serialized Fields
-
accessKey
String accessKey
AWS access key. -
cluster
String cluster
ECS cluster short name or ARN; default is the current cluster. -
connectionTimeoutSeconds
int connectionTimeoutSeconds
The maximum amount of time Hazelcast will try to connect to a well known member before giving up. Setting this value too low could mean that a member is not able to connect to a cluster. Setting the value too high means that member startup could slow down because of longer timeouts (for example, when a well known member is not up). Increasing this value is recommended if you have many IPs listed and the members cannot properly build up the cluster. Its default value is 5. -
family
String family
Filter to look only for ECS tasks with the given family name; mutually exclusive withHazelcastAwsDiscoveryProperties.getServiceName()
. -
hostHeader
String hostHeader
Host header. i.e.ec2.amazonaws.com
. The URL that is the entry point for a web service. -
iamRole
String iamRole
If you do not want to use access key and secret key, you can specify iam-role. Hazelcast fetches your credentials by using your IAM role. This setting only affects deployments on Amazon EC2. If you are deploying CAS in an Amazon ECS environment, the role should not be specified. The role is fetched from the task definition that is assigned to run CAS. -
port
int port
Hazelcast port. Typically may be set to5701
. You can set searching for other ports rather than 5701 if you've members on different ports. -
region
String region
AWS region. i.e.us-east-1
. The region where your members are running. -
secretKey
String secretKey
AWS secret key. -
securityGroupName
String securityGroupName
If a security group is configured, only instances within that security group are selected. -
serviceName
String serviceName
Filter to look only for ECS tasks from the given service; mutually exclusive withHazelcastAwsDiscoveryProperties.getFamily()
. -
tagKey
String tagKey
If a tag key/value is set, only instances with that tag key/value will be selected. -
tagValue
String tagValue
If a tag key/value is set, only instances with that tag key/value will be selected.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastAzureDiscoveryProperties
class HazelcastAzureDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- 3861923784551442190L
-
Serialized Fields
-
clientId
String clientId
The Azure Active Directory Service Principal client ID. -
clientSecret
String clientSecret
The Azure Active Directory Service Principal client secret. -
clusterId
String clusterId
The name of the tag on the hazelcast vm resources. With every Hazelcast Virtual Machine you deploy in your resource group, you need to ensure that each VM is tagged with the value of cluster-id defined in your Hazelcast configuration. The only requirement is that every VM can access each other either by private or public IP address. -
groupName
String groupName
The Azure resource group name of the cluster. You can find this in the Azure portal or CLI. -
subscriptionId
String subscriptionId
The Azure subscription ID. -
tenantId
String tenantId
The Azure Active Directory tenant ID.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastDiscoveryProperties
class HazelcastDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- -8281223487171101795L
-
Serialized Fields
-
aws
HazelcastAwsDiscoveryProperties aws
Describe discovery strategy based on AWS. The AWS config contains the configuration for AWS join mechanism. What happens behind the scenes is that data about the running AWS instances in a specific region are downloaded using the accesskey/secretkey and are potential Hazelcast members. There are 2 mechanisms for filtering out AWS instances and these mechanisms can be combined (AND).- If a security group is configured, only instances within that security group are selected.
- If a tag key/value is set, only instances with that tag key/value will be selected.
-
azure
HazelcastAzureDiscoveryProperties azure
Describe discovery strategy based on Azure. -
dockerSwarm
HazelcastDockerSwarmDiscoveryProperties dockerSwarm
Describe discovery strategy based on docker swarm. -
enabled
boolean enabled
Whether discovery should be enabled via the configured strategies below. -
gcp
HazelcastGoogleCloudPlatformDiscoveryProperties gcp
Describe discovery strategy based on google cloud platform. -
jclouds
HazelcastJCloudsDiscoveryProperties jclouds
Describe discovery strategy based on JClouds. -
kubernetes
HazelcastKubernetesDiscoveryProperties kubernetes
Describe discovery strategy based on Kubernetes. -
multicast
HazelcastClusterMulticastProperties multicast
Multicast discovery settings. -
zookeeper
HazelcastZooKeeperDiscoveryProperties zookeeper
Describe discovery strategy based on Zookeeper.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastDockerSwarmDiscoveryProperties
class HazelcastDockerSwarmDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- -1409066358752067150L
-
Serialized Fields
-
dnsProvider
HazelcastDockerSwarmDiscoveryProperties.DnsRProvider dnsProvider
Swarm DNSRR network binding. -
memberProvider
HazelcastDockerSwarmDiscoveryProperties.MemberAddressProvider memberProvider
Local network binding.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastDockerSwarmDiscoveryProperties.DnsRProvider
class DnsRProvider extends Object implements Serializable- serialVersionUID:
- -1863901001243353934L
-
Serialized Fields
-
enabled
boolean enabled
Enable provider. -
peerServices
String peerServices
Comma separated list of docker services and associated ports to be considered peers of this service. Note, this must include itself (the definition of serviceName and servicePort) if the service is to cluster with other instances of this service. -
serviceName
String serviceName
Name of the docker service that this instance is running in. -
servicePort
int servicePort
Internal port that hazelcast is listening on.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastDockerSwarmDiscoveryProperties.MemberAddressProvider
class MemberAddressProvider extends Object implements Serializable- serialVersionUID:
- -2963901001243353939L
-
Serialized Fields
-
dockerNetworkNames
String dockerNetworkNames
Comma delimited list of Docker network names to discover matching services on. -
dockerServiceLabels
String dockerServiceLabels
Comma delimited list of relevant Docker service label=values to find tasks/containers on the networks. -
dockerServiceNames
String dockerServiceNames
Comma delimited list of relevant Docker service names to find tasks/containers on the networks. -
enabled
boolean enabled
Enable provider. -
hazelcastPeerPort
int hazelcastPeerPort
The raw port that hazelcast is listening on. IMPORTANT: This is NOT a docker "published" port, nor is it necessarily a EXPOSEd port. It is the hazelcast port that the service is configured with, this must be the same for all matched containers in order to work, and just using the default of 5701 is the simplest way to go. -
skipVerifySsl
boolean skipVerifySsl
If Swarm Mgr URI is SSL, to enable skip-verify for it. -
swarmMgrUri
String swarmMgrUri
Swarm Manager URI (overrides DOCKER_HOST).
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastGoogleCloudPlatformDiscoveryProperties
class HazelcastGoogleCloudPlatformDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- 6056456067944569289L
-
Serialized Fields
-
hzPort
String hzPort
A range of ports where the plugin looks for Hazelcast members. -
label
String label
A filter to look only for instances labeled as specified; property format:key=value
. -
privateKeyPath
String privateKeyPath
A filesystem path to the private key for GCP service account in the JSON format; if not set, the access token is fetched from the GCP VM instance. -
projects
String projects
A list of projects where the plugin looks for instances; if not set, the current project is used. -
region
String region
A region where the plugin looks for instances; if not set, theHazelcastGoogleCloudPlatformDiscoveryProperties.getZones()
property is used; if it andHazelcastGoogleCloudPlatformDiscoveryProperties.getZones()
property not set, all zones of the current region are used. -
zones
String zones
A list of zones where the plugin looks for instances; if not set, all zones of the current region are used.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastJCloudsDiscoveryProperties
class HazelcastJCloudsDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- -8281247687171101766L
-
Serialized Fields
-
credential
String credential
Cloud Provider credential, can be thought of as a password for cloud services. -
credentialPath
String credentialPath
Used for cloud providers which require an extra JSON or P12 key file. This denotes the path of that file. Only tested with Google Compute Engine. (Required if Google Compute Engine is used.) -
endpoint
String endpoint
Defines the endpoint for a generic API such as OpenStack or CloudStack (optional). -
group
String group
Filters instance groups (optional). When used with AWS it maps to security group. -
identity
String identity
Cloud Provider identity, can be thought of as a user name for cloud services. -
port
int port
Port which the hazelcast instance service uses on the cluster member. Default value is 5701. (optional) -
provider
String provider
String value that is used to identify ComputeService provider. For example, "google-compute-engine" is used for Google Cloud services. See here for more info. -
regions
String regions
Defines region for a cloud service (optional). Can be used with comma separated values for multiple values. -
roleName
String roleName
Used for IAM role support specific to AWS (optional, but if defined, no identity or credential should be defined in the configuration). -
tagKeys
String tagKeys
Filters cloud instances with tags (optional). Can be used with comma separated values for multiple values. -
tagValues
String tagValues
Filters cloud instances with tags (optional) Can be used with comma separated values for multiple values. -
zones
String zones
Defines zone for a cloud service (optional). Can be used with comma separated values for multiple values.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastKubernetesDiscoveryProperties
class HazelcastKubernetesDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- 8590530159392472509L
-
Serialized Fields
-
apiRetries
int apiRetries
Defines the number of retries to Kubernetes API. Defaults to: 3. -
apiToken
String apiToken
Defines an oauth token for the kubernetes client to access the kubernetes REST API. Defaults to reading the token from the auto-injected file at:/var/run/secrets/kubernetes.io/serviceaccount/token
. -
caCertificate
String caCertificate
CA Authority certificate from Kubernetes Master. Defaults to reading the certificate from the auto-injected file at:/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
. -
kubernetesMaster
String kubernetesMaster
Defines an alternative address for the kubernetes master. Defaults to:https://kubernetes.default.svc
-
namespace
String namespace
Defines the namespace of the application POD through the Service Discovery REST API of Kubernetes. -
podLabelName
String podLabelName
Defines the pod label to lookup through the Service Discovery REST API of Kubernetes. -
podLabelValue
String podLabelValue
Defines the pod label value to lookup through the Service Discovery REST API of Kubernetes. -
resolveNotReadyAddresses
boolean resolveNotReadyAddresses
Defines if not ready addresses should be evaluated to be discovered on startup. -
serviceDns
String serviceDns
Defines the DNS service lookup domain. This is defined as something similar tomy-svc.my-namespace.svc.cluster.local
. -
serviceDnsTimeout
int serviceDnsTimeout
Defines the DNS service lookup timeout in seconds. Defaults to 5 secs. -
serviceLabelName
String serviceLabelName
Defines the service label to lookup through the Service Discovery REST API of Kubernetes. -
serviceLabelValue
String serviceLabelValue
Defines the service label value to lookup through the Service Discovery REST API of Kubernetes. -
serviceName
String serviceName
Defines the service name of the POD to lookup through the Service Discovery REST API of Kubernetes. -
servicePort
int servicePort
If specified with a value greater than 0, its value defines the endpoint port of the service (overriding the default). -
useNodeNameAsExternalAddress
boolean useNodeNameAsExternalAddress
Defines if the node name should be used as external address, instead of looking up the external IP using the/nodes
resource. Default is false.
-
-
Class org.apereo.cas.configuration.model.support.hazelcast.discovery.HazelcastZooKeeperDiscoveryProperties
class HazelcastZooKeeperDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- 235372431457637272L
-
Serialized Fields
-
group
String group
Name of this Hazelcast cluster. You can have multiple distinct clusters to use the same ZooKeeper installation -
path
String path
Path in zookeeper to be used for auto-discovery of members where members are tracked. -
url
String url
Zookeeper url address typically in the format ofip-address:port
.
-
-
-
Package org.apereo.cas.configuration.model.support.ignite
-
Class org.apereo.cas.configuration.model.support.ignite.IgniteProperties
class IgniteProperties extends Object implements Serializable- serialVersionUID:
- -5259465262649559156L
-
Serialized Fields
-
ackTimeout
String ackTimeout
Sets timeout for receiving acknowledgement for sent message. If acknowledgement is not received within this timeout, sending is considered as failed and SPI tries to repeat message sending. -
clientMode
boolean clientMode
Start in client mode. If true the local node is started as a client. -
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
defaultPersistenceEnabled
boolean defaultPersistenceEnabled
Ignite native persistence is a distributed ACID and SQL-compliant disk store that transparently integrates with Ignite's durable memory. Ignite persistence is optional and can be turned on and off. When turned off Ignite becomes a pure in-memory store. With the native persistence enabled, Ignite always stores a superset of data on disk, and as much as it can in RAM based on the capacity of the latter. For example, if there are 100 entries and RAM has the capacity to store only 20, then all 100 will be stored on disk and only 20 will be cached in RAM for better performance. Also, it is worth mentioning that as with a pure in-memory use case, when the persistence is turned on, every individual cluster node persists only a subset of the data, only including partitions for which the node is either primary or backup. Collectively, the whole cluster contains the full data set. -
defaultRegionMaxSize
long defaultRegionMaxSize
By default, Ignite nodes consume up to 20% of the RAM available locally, and in most cases, this is the only parameter you might need to change. Using the below setting allows you to change the default region memory size. -
forceServerMode
boolean forceServerMode
Sets force server mode flag. If trueTcpDiscoverySpi
is started in server mode regardless ofIgniteConfiguration.isClientMode()
. -
igniteAddress
List<String> igniteAddress
Used byTcpDiscoveryVmIpFinder
which is an IP Finder which works only with pre-configured list of IP addresses specified via this setting. By default, this IP finder is not shared, which means that all grid nodes have to be configured with the same list of IP addresses when this IP finder is used. Parses provided values and initializes the internal collection of addresses. Addresses may be represented as follows:- IP address (e.g. 127.0.0.1, 9.9.9.9, etc);
- IP address and port (e.g. 127.0.0.1:47500, 9.9.9.9:47501, etc);
- IP address and port range (e.g. 127.0.0.1:47500..47510, 9.9.9.9:47501..47504, etc);
- Hostname (e.g. host1.com, host2, etc);
- Hostname and port (e.g. host1.com:47500, host2:47502, etc).
- Hostname and port range (e.g. host1.com:47500..47510, host2:47502..47508, etc).
- port1 < port2 should be true;
- Both port1 and port2 should be greater than 0.
-
joinTimeout
String joinTimeout
Sets join timeout. If non-shared IP finder is used and node fails to connect to any address from IP finder, node keeps trying to join within this timeout. If all addresses are still unresponsive, exception is thrown and node startup fails. -
keyAlgorithm
String keyAlgorithm
The key algorithm to use when creating SSL context. -
keyStoreFilePath
String keyStoreFilePath
Keystore file path used to create a SSL context for the ticket registry. -
keyStorePassword
String keyStorePassword
Keystore password used to create a SSL context for the ticket registry. -
keyStoreType
String keyStoreType
Keystore type used to create a SSL context for the ticket registry. -
localAddress
String localAddress
Sets local host IP address that discovery SPI uses. If not provided, by default a first found non-loopback address will be used. If there is no non-loopback address available, thenInetAddress.getLocalHost()
will be used. -
localPort
int localPort
Sets local port to listen to. -
networkTimeout
String networkTimeout
Sets maximum network timeout to use for network operations. -
protocol
String protocol
SSL protocol used to create a SSL context for the ticket registry. -
socketTimeout
String socketTimeout
Sets socket operations timeout. This timeout is used to limit connection time and write-to-socket time. Note that when running Ignite on Amazon EC2, socket timeout must be set to a value significantly greater than the default (e.g. to 30000). -
threadPriority
int threadPriority
Sets thread priority. All threads within SPI will be started with it. -
ticketsCache
IgniteProperties.TicketsCache ticketsCache
Settings related to tickets cache. -
trustStoreFilePath
String trustStoreFilePath
Truststore file path used to create a SSL context for the ticket registry. -
trustStorePassword
String trustStorePassword
Truststore password used to create a SSL context for the ticket registry. -
trustStoreType
String trustStoreType
Truststore type used to create a SSL context for the ticket registry.
-
-
Class org.apereo.cas.configuration.model.support.ignite.IgniteProperties.TicketsCache
class TicketsCache extends Object implements Serializable- serialVersionUID:
- 4715167757542984471L
-
Serialized Fields
-
atomicityMode
String atomicityMode
Specifies the atomicity mode.ATOMIC
: Specifies atomic-only cache behaviour. In this mode distributed transactions and distributed locking are not supported. Disabling transactions and locking allows to achieve much higher performance and throughput ratios. In addition to transactions and locking, one of the main differences in ATOMIC mode is that bulk writes, such as putAll(...), removeAll(...), and transformAll(...) methods, become simple batch operations which can partially fail. In case of partial failure CachePartialUpdateCheckedException will be thrown which will contain a list of keys for which the update failed. It is recommended that bulk writes are used whenever multiple keys need to be inserted or updated in cache, as they reduce number of network trips and provide better performance. Note that even without locking and transactions, ATOMIC mode still provides full consistency guarantees across all cache nodes. Also note that all data modifications in ATOMIC mode are guaranteed to be atomic and consistent with writes to the underlying persistent store, if one is configured.TRANSACTIONAL
: Specifies fully ACID-compliant transactional cache behavior.
-
cacheMode
String cacheMode
Specified the caching mode.LOCAL
: Specifies local-only cache behaviour. In this mode caches residing on different grid nodes will not know about each other. Other than distribution, local caches still have all the caching features, such as eviction, expiration, swapping, querying, etc... This mode is very useful when caching read-only data or data that automatically expires at a certain interval and then automatically reloaded from persistence store.-
REPLICATED
: Specifies fully replicated cache behavior. In this mode all the keys are distributed to all participating nodes. User still has affinity control over subset of nodes for any given key via AffinityFunction configuration. -
PARTITIONED
: Specifies partitioned cache behaviour. In this mode the overall key set will be divided into partitions and all partitions will be split equally between participating nodes. User has affinity control over key assignment via AffinityFunction configuration. Note that partitioned cache is always fronted by local 'near' cache which stores most recent data. You can configure the size of near cache via NearCacheConfiguration.getNearEvictionPolicy() configuration property.
-
writeSynchronizationMode
String writeSynchronizationMode
Mode indicating how Ignite should wait for write replies from other nodes. Default value is FULL_ASYNC}, which means that Ignite will not wait for responses from participating nodes. This means that by default remote nodes may get their state updated slightly after any of the cache write methods complete, or after Transaction.commit() method completes.-
FULL_ASYNC
: Flag indicating that Ignite will not wait for write or commit responses from participating nodes, which means that remote nodes may get their state updated a bit after any of the cache write methods complete, or afterTransaction.commit()
method completes. -
FULL_SYNC
: Flag indicating that Ignite should wait for write or commit replies from all nodes. This behavior guarantees that whenever any of the atomic or transactional writes complete, all other participating nodes which cache the written data have been updated. -
PRIMARY_SYNC
: This flag only makes sense for CacheMode.PARTITIONED mode. When enabled, Ignite will wait for write or commit to complete on primary node, but will not wait for backups to be updated.
-
-
-
-
Package org.apereo.cas.configuration.model.support.influxdb
-
Class org.apereo.cas.configuration.model.support.influxdb.InfluxDbProperties
class InfluxDbProperties extends Object implements Serializable- serialVersionUID:
- -1945287308473842616L
-
-
Package org.apereo.cas.configuration.model.support.interrupt
-
Class org.apereo.cas.configuration.model.support.interrupt.GroovyInterruptProperties
class GroovyInterruptProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126082L
-
Class org.apereo.cas.configuration.model.support.interrupt.InterruptCookieProperties
class InterruptCookieProperties extends PinnableCookieProperties implements Serializable- serialVersionUID:
- -266090748600049578L
-
Serialized Fields
-
autoConfigureCookiePath
boolean autoConfigureCookiePath
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that determine how the cookie should be signed and encrypted.
-
-
Class org.apereo.cas.configuration.model.support.interrupt.InterruptCoreProperties
class InterruptCoreProperties extends Object implements Serializable- serialVersionUID:
- 4263941933003310968L
-
Serialized Fields
-
forceExecution
boolean forceExecution
Whether execution of the interrupt inquiry query should be always forced, and the status of interrupt check should be ignored. This is a global setting that can optionally be overruled for each application policy. -
triggerMode
InterruptCoreProperties.InterruptTriggerModes triggerMode
Define how interrupt notifications should be triggered in the authentication flow.
-
-
Class org.apereo.cas.configuration.model.support.interrupt.InterruptProperties
class InterruptProperties extends Object implements Serializable- serialVersionUID:
- -4945287309473842615L
-
Serialized Fields
-
cookie
InterruptCookieProperties cookie
Cookie settings. -
core
InterruptCoreProperties core
Core settings for interrupt notifications. -
groovy
GroovyInterruptProperties groovy
Inquire for interrupt using a Groovy resource. -
json
JsonInterruptProperties json
Inquire for interrupt using a JSON resource. -
regex
RegexInterruptProperties regex
Inquire for interrupt using a regex pattern operating on attributes. -
rest
RestfulInterruptProperties rest
Inquire for interrupt using a REST resource.
-
-
Class org.apereo.cas.configuration.model.support.interrupt.JsonInterruptProperties
class JsonInterruptProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 1079027840047126083L
-
Class org.apereo.cas.configuration.model.support.interrupt.RegexInterruptProperties
class RegexInterruptProperties extends Object implements Serializable- serialVersionUID:
- 2169027840047126083L
-
Serialized Fields
-
attributeName
String attributeName
A regex pattern on the attribute name that if matches will successfully complete the first condition for the interrupt notifications trigger. -
attributeValue
String attributeValue
A regex pattern on the attribute value that if matches will successfully complete the first condition for the interrupt notifications trigger.
-
-
Class org.apereo.cas.configuration.model.support.interrupt.RestfulInterruptProperties
class RestfulInterruptProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 1833594332973137011L
-
-
Package org.apereo.cas.configuration.model.support.jaas
-
Class org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties
class JaasAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 4643338626978471986L
-
Serialized Fields
-
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
kerberosKdcSystemProperty
String kerberosKdcSystemProperty
Typically, the default realm and the KDC for that realm are indicated in the Kerberoskrb5.conf
configuration file. However, if you like, you can instead specify the realm value by setting this following system property value.If you set the realm property, you SHOULD also configure the kerberos KDC system property.
Also note that if you set these properties, then no cross-realm authentication is possible unless a
krb5.conf
file is also provided from which the additional information required for cross-realm authentication may be obtained.If you set values for these properties, then they override the default realm and KDC values specified in
krb5.conf
(if such a file is found). Thekrb5.conf
file is still consulted if values for items other than the default realm and KDC are needed. If nokrb5.conf
file is found, then the default values used for these items are implementation-specific.- See Also:
-
kerberosRealmSystemProperty
String kerberosRealmSystemProperty
Typically, the default realm and the KDC for that realm are indicated in the Kerberoskrb5.conf
configuration file. However, if you like, you can instead specify the realm value by setting this following system property value.If you set the realm property, you SHOULD also configure the kerberos KDC system property.
Also note that if you set these properties, then no cross-realm authentication is possible unless a
krb5.conf
file is also provided from which the additional information required for cross-realm authentication may be obtained.If you set values for these properties, then they override the default realm and KDC values specified in
krb5.conf
(if such a file is found). Thekrb5.conf
file is still consulted if values for items other than the default realm and KDC are needed. If nokrb5.conf
file is found, then the default values used for these items are implementation-specific.- See Also:
-
loginConfigType
String loginConfigType
Typically set toJavaLoginConfig
which is the default Configuration implementation from the SUN provider. This type accepts a URI/path to a configuration file as a valid parameter type specified viaJaasAuthenticationProperties.loginConfigurationFile
. If this parameter is not specified, then the configuration information is loaded from the sources described in the ConfigFile class specification. If this parameter is specified, the configuration information is loaded solely from the specified URI. -
loginConfigurationFile
String loginConfigurationFile
Path to the location of configuration file (i.e. jaas.conf) that contains the realms and login modules. -
name
String name
Name of the authentication handler. -
order
int order
Order of the authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for JAAS authentication. -
passwordPolicy
PasswordPolicyProperties passwordPolicy
Password policy settings. -
principal
PersonDirectoryPrincipalResolverProperties principal
Principal construction settings. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings. -
realm
String realm
JAAS realm to use. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
-
Package org.apereo.cas.configuration.model.support.jdbc
-
Class org.apereo.cas.configuration.model.support.jdbc.JdbcAuthenticationProperties
class JdbcAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 7199786191466526110L
-
Serialized Fields
-
bind
List<BindJdbcAuthenticationProperties> bind
Settings related to bind-mode jdbc authentication. Authenticates a user by attempting to create a database connection using the username and (hashed) password. -
encode
List<QueryEncodeJdbcAuthenticationProperties> encode
Settings related to query-encode-mode jdbc authentication. A JDBC querying handler that will pull back the password and the private salt value for a user and validate the encoded password using the public salt value. Assumes everything is inside the same database table. Supports settings for number of iterations as well as private salt. This password encoding method combines the private Salt and the public salt which it prepends to the password before hashing. If multiple iterations are used, the byte code hash of the first iteration is rehashed without the salt values. The final hash is converted to hex before comparing it to the database value. -
query
List<QueryJdbcAuthenticationProperties> query
Settings related to query-mode jdbc authentication. Authenticates a user by comparing the user password (which can be encoded with a password encoder) against the password on record determined by a configurable database query. -
search
List<SearchJdbcAuthenticationProperties> search
Settings related to search-mode jdbc authentication. Searches for a user record by querying against a username and password; the user is authenticated if at least one result is found.
-
-
Class org.apereo.cas.configuration.model.support.jdbc.JdbcPrincipalAttributesProperties
class JdbcPrincipalAttributesProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 6915428382578138387L
-
Serialized Fields
-
attributes
Map<String,
String> attributes Map of attributes to fetch from the database. Attributes are defined using a key-value structure where CAS allows the attribute name/key to be renamed virtually to a different attribute. The key is the attribute fetched from the data source and the value is the attribute name CAS should use for virtual renames. Attributes may be allowed to be virtually renamed and remapped. The key in the attribute map is the original attribute, and the value should be the virtually-renamed attribute. -
caseCanonicalization
String caseCanonicalization
When constructing the final person object from the attribute repository, indicate how the username should be canonicalized. Accepted values are:UPPER
: Transform the final person id into uppercase characters.LOWER
: Transform the final person id into lowercase characters.NONE
: Do nothing.
-
caseInsensitiveQueryAttributes
List<String> caseInsensitiveQueryAttributes
Collection of attributes, used to build the SQL query, that should go through a case canonicalization process defined askey->value
. Note that the key is not the name of the attribute, but the query attribute that is used in generating the final query clause (i.e.username
). The value can beNONE, LOWER, UPPER
.It's also possible to define a list of attributes without a case canonicalization override such as
username, attribute2
in which caseJdbcPrincipalAttributesProperties.caseCanonicalization
will dictate the final outcome. -
columnMappings
Map<String,
String> columnMappings Used only when there is a mapping of many rows to one user. This is done using a key-value structure where the key is the name of the "attribute name" column the value is the name of the "attribute value" column. If the table structure is as such: <pre> ----------------------------- uid | attr_name | attr_value ----------------------------- tom | first_name | Thomas </pre> Then a column mapping must be specified to teach CAS to useattr_name
andattr_value
for attribute names and values. -
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
queryAttributes
Map<String,
String> queryAttributes Define aMap
of query attribute names to data-layer attribute names to use when building the query. The key is always the name of the query attribute that is defined by CAS and passed internally, and the value is the database column that should map. -
queryType
String queryType
Indicates how multiple attributes in a query should be concatenated together. Accepted values are: *AND
: Concatenate attributes in the query using an AND-clause.OR
: Concatenate attributes in the query using an OR-clause.
-
requireAllAttributes
boolean requireAllAttributes
If the SQL should only be run if all attributes listed in the mappings exist in the query. -
singleRow
boolean singleRow
Designed to work against a table where there is a mapping of one row to one user. The fields in the table structure is assumed to matchusername|name|lastname|address
where there is only a single row per user. Setting this setting tofalse
will force CAS to work against a table where there is a mapping of one row to one user. The fields in the table structure is assumed to matchusername|attr_name|attr_value
where there is more than one row per username. -
sql
String sql
The SQL statement to execute and fetch attributes. The syntax of the query must beSELECT * FROM table WHERE {0}
. TheWHERE
clause is dynamically generated by CAS. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled. -
username
List<String> username
Username attribute(s) to use when running the SQL query.
-
-
-
Package org.apereo.cas.configuration.model.support.jdbc.authn
-
Class org.apereo.cas.configuration.model.support.jdbc.authn.BaseJdbcAuthenticationProperties
class BaseJdbcAuthenticationProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 8460723293967413501L
-
Serialized Fields
-
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
name
String name
Name of the authentication handler. -
order
int order
Order of the authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding strategies for this authentication. -
principalAttributeList
List<String> principalAttributeList
List of column names to fetch as user attributes. This is only effective in scenarios where the JDBC authentication method is able to execute a SQL query against a database table and return results. Authentication methods that merely check for the user account's existence or verify the user with just a simple bind are not able to fetch attributes.Attributes name are separated by a comma and may use a "directed list" syntax where the allowed syntax would be
column-name->cas-attribute
. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings for this authentication. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.jdbc.authn.BindJdbcAuthenticationProperties
class BindJdbcAuthenticationProperties extends BaseJdbcAuthenticationProperties implements Serializable- serialVersionUID:
- 4268982716707687796L
-
Class org.apereo.cas.configuration.model.support.jdbc.authn.QueryEncodeJdbcAuthenticationProperties
class QueryEncodeJdbcAuthenticationProperties extends BaseJdbcAuthenticationProperties implements Serializable- serialVersionUID:
- -6647373426301411768L
-
Serialized Fields
-
algorithmName
String algorithmName
Algorithm used for hashing. -
disabledFieldName
String disabledFieldName
Column name that indicates whether account is disabled. -
expiredFieldName
String expiredFieldName
Column name that indicates whether account is expired. -
numberOfIterations
int numberOfIterations
Default number of iterations for hashing. -
numberOfIterationsFieldName
String numberOfIterationsFieldName
Field/column name that indicates the number of iterations used for password hashing. -
passwordFieldName
String passwordFieldName
Password column name. -
saltFieldName
String saltFieldName
Field/column name that indicates the salt used for password hashing. -
sql
String sql
SQL query to execute and look up accounts. Example:SELECT * FROM table WHERE username=?
. -
staticSalt
String staticSalt
Static salt to be used for hashing.
-
-
Class org.apereo.cas.configuration.model.support.jdbc.authn.QueryJdbcAuthenticationProperties
class QueryJdbcAuthenticationProperties extends BaseJdbcAuthenticationProperties implements Serializable- serialVersionUID:
- 7806132208223986680L
-
Serialized Fields
-
fieldDisabled
String fieldDisabled
Boolean field that should indicate whether the account is disabled. -
fieldExpired
String fieldExpired
Boolean field that should indicate whether the account is expired. -
fieldPassword
String fieldPassword
Password field/column name to retrieve. -
sql
String sql
SQL query to execute. Example:SELECT * FROM table WHERE name=?
.
-
-
Class org.apereo.cas.configuration.model.support.jdbc.authn.SearchJdbcAuthenticationProperties
class SearchJdbcAuthenticationProperties extends BaseJdbcAuthenticationProperties implements Serializable- serialVersionUID:
- 6912107600297453730L
-
-
Package org.apereo.cas.configuration.model.support.jpa
-
Class org.apereo.cas.configuration.model.support.jpa.AbstractJpaProperties
class AbstractJpaProperties extends Object implements Serializable- serialVersionUID:
- 761486823496930920L
-
Serialized Fields
-
autocommit
boolean autocommit
The default auto-commit behavior of connections in the pool. Determined whether queries such as update/insert should be immediately executed without waiting for an underlying transaction. -
batchSize
int batchSize
A non-zero value enables use of JDBC2 batch updates by Hibernate. e.g. recommended values between 5 and 30. -
connectionTimeout
String connectionTimeout
Indicates the maximum number of milliseconds that the service can wait to obtain a connection. -
dataSourceName
String dataSourceName
Attempts to do a JNDI data source look up for the data source name specified. Will attempt to locate the data source object as is. -
ddlAuto
String ddlAuto
Hibernate feature to automatically validate and exports DDL to the schema. By default, creates and drops the schema automatically when a session is starts and ends. Setting the value tovalidate
ornone
may be more desirable for production, but any of the following options can be used:validate
: Validate the schema, but make no changes to the database.update
: Update the schema.create
: Create the schema, destroying previous data.create-drop
: Drop the schema at the end of the session.none
: Do nothing.
Note that during a version migration where any schema has changed
For more info, see this.create-drop
will result in the loss of all data as soon as CAS is started. For transient data like tickets this is probably not an issue, but in cases like the audit table important data could be lost. Using `update`, while safe for data, is confirmed to result in invalid database state.validate
ornone
settings are likely the only safe options for production use. -
defaultCatalog
String defaultCatalog
Qualifies unqualified table names with the given catalog in generated SQL. -
defaultSchema
String defaultSchema
Qualify unqualified table names with the given schema/tablespace in generated SQL. -
dialect
String dialect
The database dialect is a configuration setting for platform independent software (JPA, Hibernate, etc) which allows such software to translate its generic SQL statements into vendor specific DDL, DML. -
driverClass
String driverClass
The JDBC driver used to connect to the database. -
failFastTimeout
long failFastTimeout
Set the pool initialization failure timeout.- Any value greater than zero will be treated as a timeout for pool initialization.
The calling thread will be blocked from continuing until a successful connection
to the database, or until the timeout is reached. If the timeout is reached, then
a
PoolInitializationException
will be thrown. - A value of zero will not prevent the pool from starting in the
case that a connection cannot be obtained. However, upon start the pool will
attempt to obtain a connection and validate that the
connectionTestQuery
andconnectionInitSql
are valid. If those validations fail, an exception will be thrown. If a connection cannot be obtained, the validation is skipped and the the pool will start and continue to try to obtain connections in the background. This can mean that callers toDataSource#getConnection()
may encounter exceptions. - A value less than zero will not bypass any connection attempt and
validation during startup, and therefore the pool will start immediately. The
pool will continue to try to obtain connections in the background. This can mean
that callers to
DataSource#getConnection()
may encounter exceptions.
connectionTimeout
orvalidationTimeout
; they will be honored before this timeout is applied. The default value is one millisecond. - Any value greater than zero will be treated as a timeout for pool initialization.
The calling thread will be blocked from continuing until a successful connection
to the database, or until the timeout is reached. If the timeout is reached, then
a
-
fetchSize
int fetchSize
Used to specify number of rows to be fetched in a select query. -
generateStatistics
boolean generateStatistics
Allow hibernate to generate query statistics. -
healthQuery
String healthQuery
The SQL query to be executed to test the validity of connections. This is for "legacy" databases that do not support the JDBC4Connection.isValid()
API. -
idleTimeout
String idleTimeout
Controls the maximum amount of time that a connection is allowed to sit idle in the pool. -
isolateInternalQueries
boolean isolateInternalQueries
This property determines whether data source isolates internal pool queries, such as the connection alive test, in their own transaction.Since these are typically read-only queries, it is rarely necessary to encapsulate them in their own transaction. This property only applies if
AbstractJpaProperties.autocommit
is disabled. -
isolationLevelName
String isolationLevelName
Defines the isolation level for transactions.- See Also:
-
leakThreshold
String leakThreshold
Controls the amount of time that a connection can be out of the pool before a message is logged indicating a possible connection leak. -
password
String password
The database connection password. -
physicalNamingStrategyClassName
String physicalNamingStrategyClassName
Fully-qualified name of the class that can control the physical naming strategy of hibernate. -
pool
ConnectionPoolingProperties pool
Database connection pooling settings. -
propagationBehaviorName
String propagationBehaviorName
Defines the propagation behavior for transactions.- See Also:
-
properties
Map<String,
String> properties Additional settings provided by Hibernate (or the connection provider) in form of key-value pairs. -
readOnly
boolean readOnly
Configures the Connections to be added to the pool as read-only Connections. -
url
String url
The database connection URL. -
user
String user
The database user.The database user must have sufficient permissions to be able to handle schema changes and updates, when needed.
-
-
Class org.apereo.cas.configuration.model.support.jpa.DatabaseProperties
class DatabaseProperties extends Object implements Serializable- serialVersionUID:
- 7740236971148591965L
-
Serialized Fields
-
caseInsensitive
boolean caseInsensitive
When choosing physical table names, determine whether names should be considered case-insensitive. -
genDdl
boolean genDdl
Whether to generate DDL after the EntityManagerFactory has been initialized creating/updating all relevant tables. -
physicalTableNames
Map<String,
String> physicalTableNames Indicate a physical table name to be used by the hibernate naming strategy in case table names need to be customized for the specific type of database. The key here indicates the CAS-provided table name and the value is the translate physical name for the database. If a match is not found for the CAS-provided table name, then that name will be used by default. -
showSql
boolean showSql
Whether SQL queries should be displayed in the console/logs.
-
-
-
Package org.apereo.cas.configuration.model.support.jpa.serviceregistry
-
Class org.apereo.cas.configuration.model.support.jpa.serviceregistry.JpaServiceRegistryProperties
class JpaServiceRegistryProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 352435146313504995L
-
Serialized Fields
-
enabled
boolean enabled
Whether managing services via JPA is enabled.
-
-
-
Package org.apereo.cas.configuration.model.support.jpa.ticketregistry
-
Class org.apereo.cas.configuration.model.support.jpa.ticketregistry.JpaTicketRegistryProperties
class JpaTicketRegistryProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -8053839523783801072L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
enabled
boolean enabled
Whether managing tickets via JPA is enabled. -
jpaLockingTimeout
String jpaLockingTimeout
Indicates the lock duration when one is about to be acquired by the cleaner. -
ticketLockType
jakarta.persistence.LockModeType ticketLockType
Ticket locking type. Acceptable values areREAD,WRITE,OPTIMISTIC,OPTIMISTIC_FORCE_INCREMENT,PESSIMISTIC_READ, PESSIMISTIC_WRITE,PESSIMISTIC_FORCE_INCREMENT,NONE
.
-
-
-
Package org.apereo.cas.configuration.model.support.kafka
-
Class org.apereo.cas.configuration.model.support.kafka.BaseKafkaProperties
class BaseKafkaProperties extends Object implements Serializable- serialVersionUID:
- -3844529231331941592L
-
Serialized Fields
-
bootstrapAddress
String bootstrapAddress
Kafka bootstrapping server address (i.e. localhost:9092).
-
-
Class org.apereo.cas.configuration.model.support.kafka.KafkaSingleTopicProperties
class KafkaSingleTopicProperties extends Object implements Serializable- serialVersionUID:
- -1844529231331941592L
-
Serialized Fields
-
compressionType
String compressionType
Specify the final compression type for a given topic. This configuration accepts the standard compression codecs ('gzip', 'snappy', 'lz4', 'zstd'
). It additionally accepts 'uncompressed' which is equivalent to no compression; and 'producer' which means retain the original compression codec set by the producer. -
config
Map<String,
String> config Additional configuration options, as pointed out byTopicConfig
. -
name
String name
Set the name of the topic. -
partitions
int partitions
Set the number of partitions (default 1). -
replicas
int replicas
Set the number of replicas (default 1).
-
-
-
Package org.apereo.cas.configuration.model.support.ldap
-
Class org.apereo.cas.configuration.model.support.ldap.AbstractLdapAuthenticationProperties
class AbstractLdapAuthenticationProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 3849857270054289852L
-
Serialized Fields
-
derefAliases
String derefAliases
Define how aliases are de-referenced. Accepted values are:NEVER
SEARCHING
: dereference when searching the entries beneath the starting point but not when searching for the starting entry.FINDING
: dereference when searching for the starting entry but not when searching the entries beneath the starting point.ALWAYS
: dereference when searching for the starting entry and when searching the entries beneath the starting point.
-
dnFormat
String dnFormat
Specify the dn format accepted by the AD authenticator, etc. Example format might beuid=%s,ou=people,dc=example,dc=org
. -
enhanceWithEntryResolver
boolean enhanceWithEntryResolver
Whether specific search entry resolvers need to be set on the authenticator, or the default should be used. -
principalAttributePassword
String principalAttributePassword
If principalAttributePassword is empty then a user simple bind is done to validate credentials otherwise the given attribute is compared with the given principalAttributePassword using the SHA encrypted value of it.For the anonymous authentication type, if principalAttributePassword is empty then a user simple bind is done to validate credentials otherwise the given attribute is compared with the given principalAttributePassword using the SHA encrypted value of it.
-
resolveFromAttribute
String resolveFromAttribute
If this attribute is set, the value found in the first attribute value will be used in place of the DN. -
type
AbstractLdapAuthenticationProperties.AuthenticationTypes type
The authentication type.AD
- Users authenticate withsAMAccountName
.AUTHENTICATED
- Manager bind/search type of authentication. If principalAttributePassword} is empty then a user simple bind is done to validate credentials. Otherwise the given attribute is compared with the givenprincipalAttributePassword
using theSHA
encrypted value of it.ANONYMOUS
: Similar semantics asAUTHENTICATED
except nobindDn
andbindCredential
may be specified to initialize the connection. IfprincipalAttributePassword
is empty then a user simple bind is done to validate credentials. Otherwise the given attribute is compared with the givenprincipalAttributePassword
using theSHA
encrypted value of it.- DIRECT: Direct Bind - Compute user DN from format string and perform simple bind.
This is relevant when no search is required to compute the DN needed for a bind operation.
Use cases for this type are:
1) All users are under a single branch in the directory,
e.g. ou=Users,dc=example,dc=org.
2) The username provided on the CAS login form is part of the DN, e.g.uid=%s,ou=Users,dc=example,dc=org
.
-
-
Class org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties
class AbstractLdapProperties extends Object implements Serializable- serialVersionUID:
- 2682743362616979324L
-
Serialized Fields
-
allowMultipleDns
boolean allowMultipleDns
Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result. -
allowMultipleEntries
boolean allowMultipleEntries
Set if multiple Entries are allowed. -
binaryAttributes
List<String> binaryAttributes
Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver. -
bindCredential
String bindCredential
The bind credential to use when connecting to LDAP. -
bindDn
String bindDn
The bind DN to use when connecting to LDAP. LDAP connection configuration injected into the LDAP connection pool can be initialized with the following parameters:bindDn/bindCredential
provided - Use the provided credentials to bind when initializing connections.bindDn/bindCredential
set to*
- Use a fast-bind strategy to initialize the pool.bindDn/bindCredential
set to blank - Skip connection initializing; perform operations anonymously.- SASL mechanism provided - Use the given SASL mechanism to bind when initializing connections.
-
blockWaitTime
String blockWaitTime
The length of time the pool will block. By default the pool will block indefinitely and there is no guarantee that waiting threads will be serviced in the order in which they made their request. This option should be used with a blocking connection pool when you need to control the exact number of connections that can be created -
connectionStrategy
String connectionStrategy
If multiple URLs are provided as the ldapURL this describes how each URL will be processed.ACTIVE_PASSIVE
First LDAP will be used for every request unless it fails and then the next shall be used.ROUND_ROBIN
For each new connection the next url in the list will be used.RANDOM
For each new connection a random LDAP url will be selected.DNS_SRV
LDAP urls based on DNS SRV records of the configured/given LDAP url will be used.
-
connectTimeout
String connectTimeout
Sets the maximum amount of time that connects will block. -
disablePooling
boolean disablePooling
Whether to use a pooled connection factory in components. -
failFast
boolean failFast
Attempt to populate the connection pool early on startup and fail quickly if something goes wrong. -
followReferrals
boolean followReferrals
Set if search referrals should be followed. -
hostnameVerifier
AbstractLdapProperties.LdapHostnameVerifierOptions hostnameVerifier
Hostname verification options. -
idleTime
String idleTime
Removes connections from the pool based on how long they have been idle in the available queue. Prunes connections that have been idle for more than the indicated amount. -
keystore
String keystore
Path to the keystore used for SSL connections. Typically contains SSL certificates for the LDAP server. -
keystorePassword
String keystorePassword
Keystore password. -
keystoreType
String keystoreType
The type of keystore.PKCS12
orJKS
. If left blank, defaults to the default keystore type indicated by the underlying Java platform. -
ldapUrl
String ldapUrl
The LDAP url to the server. More than one may be specified, separated by space and/or comma. -
maxPoolSize
int maxPoolSize
Maximum LDAP connection pool size which the pool can use to grow. -
minPoolSize
int minPoolSize
Minimum LDAP connection pool size. Size the pool should be initialized to and pruned to -
name
String name
Name of the LDAP handler. -
poolPassivator
String poolPassivator
You may receive unexpected LDAP failures, when CAS is configured to authenticate usingDIRECT
orAUTHENTICATED
types and LDAP is locked down to not allow anonymous binds/searches. Every second attempt with a given LDAP connection from the pool would fail if it was on the same connection as a failed login attempt, and the regular connection validator would similarly fail. When a connection is returned back to a pool, it still may contain the principal and credentials from the previous attempt. Before the next bind attempt using that connection, the validator tries to validate the connection again but fails because it’s no longer trying with the configured bind credentials but with whatever user DN was used in the previous step. Given the validation failure, the connection is closed and CAS would deny access by default. Passivators attempt to reconnect to LDAP with the configured bind credentials, effectively resetting the connection to what it should be after each bind request. Furthermore if you are seeing errors in the logs that resemble a 'Operation exception encountered, reopening connection' type of message, this usually is an indication that the connection pool’s validation timeout established and created by CAS is greater than the timeout configured in the LDAP server, or more likely, in the load balancer in front of the LDAP servers. You can adjust the LDAP server session’s timeout for connections, or you can teach CAS to use a validity period that is equal or less than the LDAP server session’s timeout. Accepted values are:NONE
: No passivation takes place.BIND
: The default behavior which passivates a connection by performing a bind operation on it. This option requires the availability of bind credentials when establishing connections to LDAP.
-
prunePeriod
String prunePeriod
Removes connections from the pool based on how long they have been idle in the available queue. Run the pruning process at the indicated interval. -
responseTimeout
String responseTimeout
Duration of time to wait for responses. -
saslAuthorizationId
String saslAuthorizationId
SASL authorization id. -
saslMechanism
String saslMechanism
The SASL mechanism. -
saslMutualAuth
Boolean saslMutualAuth
SASL mutual auth is enabled? -
saslQualityOfProtection
String saslQualityOfProtection
SASL quality of protected. -
saslRealm
String saslRealm
The SASL realm. -
saslSecurityStrength
String saslSecurityStrength
SASL security strength. -
trustCertificates
String trustCertificates
Path of the trust certificates to use for the SSL connection. Ignores keystore-related settings when activated and used. -
trustManager
String trustManager
Trust Manager options. Trust managers are responsible for managing the trust material that is used when making LDAP trust decisions, and for deciding whether credentials presented by a peer should be accepted. Accepted values are: *DEFAULT
: Enable and force the default JVM trust managers.ANY
: Trust any client or server.
-
trustStore
String trustStore
Path to the keystore used to determine which certificates or certificate authorities should be trusted. Used when connecting to an LDAP server via LDAPS or startTLS connection. If left blank, the default truststore for the Java runtime is used. -
trustStorePassword
String trustStorePassword
Password needed to open the truststore. -
trustStoreType
String trustStoreType
The type of trust keystore that determines which certificates or certificate authorities are trusted. Types depend on underlying java platform, typicallyPKCS12
orJKS
. If left blank, defaults to the default keystore type indicated by the underlying Java platform. -
useStartTls
boolean useStartTls
Whether TLS should be used and enabled when establishing the connection. -
validateOnCheckout
boolean validateOnCheckout
Whether connections should be validated when loaned out from the pool. -
validatePeriod
String validatePeriod
Period at which pool should be validated. -
validatePeriodically
boolean validatePeriodically
Whether connections should be validated periodically when the pool is idle. -
validateTimeout
String validateTimeout
Period at which validation operations may time out. -
validator
LdapValidatorProperties validator
LDAP connection validator settings.
-
-
Class org.apereo.cas.configuration.model.support.ldap.AbstractLdapSearchProperties
class AbstractLdapSearchProperties extends AbstractLdapProperties implements Serializable- serialVersionUID:
- 3009946735155362639L
-
Serialized Fields
-
baseDn
String baseDn
Base DN to use. There may be scenarios where different parts of a single LDAP tree could be considered as base-dns. Rather than duplicating the LDAP configuration block for each individual base-dn, each entry can be specified and joined together using a special delimiter character. The user DN is retrieved using the combination of all base-dn and DN resolvers in the order defined. DN resolution should fail if multiple DNs are found. Otherwise the first DN found is returned. Usual syntax is:subtreeA,dc=example,dc=net|subtreeC,dc=example,dc=net
. -
pageSize
int pageSize
Request that the server return results in batches of a specific size. See RFC 2696. This control is often used to work around server result size limits. A negative/zero value disables paged requests. -
searchEntryHandlers
List<LdapSearchEntryHandlersProperties> searchEntryHandlers
Search handlers. -
searchFilter
String searchFilter
User filter to use for searching. Syntax iscn={user}
orcn={0}
.You may also provide an external groovy script in the syntax of
file:/path/to/GroovyScript.groovy
to fully build the final filter template dynamically. -
subtreeSearch
boolean subtreeSearch
Whether subtree searching is allowed.
-
-
Class org.apereo.cas.configuration.model.support.ldap.CaseChangeSearchEntryHandlersProperties
class CaseChangeSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- 2420895955116725666L
-
Serialized Fields
-
Class org.apereo.cas.configuration.model.support.ldap.DnAttributeSearchEntryHandlersProperties
class DnAttributeSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- -1174594647679213858L
-
Serialized Fields
-
addIfExists
boolean addIfExists
The Add if exists. -
dnAttributeName
String dnAttributeName
The Dn attribute name.
-
-
Class org.apereo.cas.configuration.model.support.ldap.FollowReferralSearchEntryHandlersProperties
class FollowReferralSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- 7138108925310792763L
-
Serialized Fields
-
limit
int limit
The default referral limit.
-
-
Class org.apereo.cas.configuration.model.support.ldap.FollowResultSearchEntryHandlersProperties
class FollowResultSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- 7138108925310792763L
-
Serialized Fields
-
limit
int limit
The default referral limit.
-
-
Class org.apereo.cas.configuration.model.support.ldap.LdapAuthenticationProperties
class LdapAuthenticationProperties extends AbstractLdapAuthenticationProperties implements Serializable- serialVersionUID:
- -5357843463521189892L
-
Serialized Fields
-
additionalAttributes
List<String> additionalAttributes
List of additional attributes to retrieve, if any. -
allowMissingPrincipalAttributeValue
boolean allowMissingPrincipalAttributeValue
Flag to indicate whether CAS should block authentication if a specific/configured principal id attribute is not found. -
allowMultiplePrincipalAttributeValues
boolean allowMultiplePrincipalAttributeValues
Sets a flag that determines whether multiple values are allowed for theLdapAuthenticationProperties.principalAttributeId
. This flag only has an effect ifLdapAuthenticationProperties.principalAttributeId
is configured. If multiple values are detected when the flag is false, the first value is used and a warning is logged. If multiple values are detected when the flag is true, an exception is raised. -
collectDnAttribute
boolean collectDnAttribute
When entry DN should be called as an attribute and stored into the principal. -
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
order
Integer order
Order of the authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for LDAP authentication. -
passwordPolicy
LdapPasswordPolicyProperties passwordPolicy
Password policy settings. -
principalAttributeId
String principalAttributeId
The attribute to use as the principal identifier built during and upon a successful authentication attempt. -
principalAttributeList
List<String> principalAttributeList
List of attributes to retrieve from LDAP. Attributes can be virtually remapped to multiple names. Examplecn:commonName,givenName,eduPersonTargettedId:SOME_IDENTIFIER
.To fetch and resolve attributes that carry tags/options, consider tagging the mapped attribute as such:
homePostalAddress:homePostalAddress;
. -
principalDnAttributeName
String principalDnAttributeName
Name of attribute to be used for principal's DN. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.ldap.LdapAuthorizationProperties
class LdapAuthorizationProperties extends Object implements Serializable- serialVersionUID:
- -2680169790567609780L
-
Serialized Fields
-
allowMultipleResults
boolean allowMultipleResults
Indicate whether the LDAP search query is allowed to return multiple entries. -
baseDn
String baseDn
Base DN to start the search. -
groupAttribute
String groupAttribute
Attribute expected to be found on the entry resulting from the group search whose value is going to be used to construct roles. The final value is always prefixed withLdapAuthorizationProperties.groupPrefix
. This is useful in scenarios where you wish to grant access to a resource to all users who a member of a given group. -
groupBaseDn
String groupBaseDn
Base DN to start the search looking for groups. -
groupFilter
String groupFilter
Search filter to begin looking for groups. -
groupPrefix
String groupPrefix
A prefix that is prepended to the group attribute value to construct an authorized role. -
roleAttribute
String roleAttribute
Attribute expected to be found on the entry whose value is going to be used to construct roles. The final value is always prefixed withLdapAuthorizationProperties.rolePrefix
. This is useful in scenarios where you wish to grant access to a resource to all users who carry a special attribute. -
rolePrefix
String rolePrefix
Prefix for the role. -
searchFilter
String searchFilter
LDAP search filter to locate accounts.
-
-
Class org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties
class LdapPasswordPolicyProperties extends PasswordPolicyProperties implements Serializable- serialVersionUID:
- -1878237508646993100L
-
Serialized Fields
-
customPolicyClass
String customPolicyClass
An implementation of a policy class that knows how to handle LDAP responses. The class must be an implementation oforg.ldaptive.auth.AuthenticationResponseHandler
. -
passwordExpirationNumberOfDays
int passwordExpirationNumberOfDays
This is used to calculate an expiration period for the account password. When defined, LDAP password policy handling will use thepwdLastSet
attribute which must be returned from the LDAP authentication attempt. LDAP password policy handling will emit a warning for thepwdLastSet
value plus the expiration amount. A negative value will disable the operations that calculate the expiration period. -
type
AbstractLdapProperties.LdapType type
LDAP type.
-
-
Class org.apereo.cas.configuration.model.support.ldap.LdapPrincipalAttributesProperties
class LdapPrincipalAttributesProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 5760065368731012063L
-
Serialized Fields
-
attributes
Map<String,
String> attributes Map of attributes to fetch from the source. Attributes are defined using a key-value structure where CAS allows the attribute name/key to be renamed virtually to a different attribute. The key is the attribute fetched from the data source and the value is the attribute name CAS should use for virtual renames.Attributes may be allowed to be virtually renamed and remapped. The key in the attribute map is the original attribute, and the value should be the virtually-renamed attribute.
To fetch and resolve attributes that carry tags/options, consider tagging the mapped attribute as such:
affiliation=affiliation
. -
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
queryAttributes
Map<String,
String> queryAttributes Define aMap
of query attribute names to data-layer attribute names to use when building the query. The key is always the name of the query attribute that is defined by CAS and passed internally, and the value is the column/field that should map. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled. -
useAllQueryAttributes
boolean useAllQueryAttributes
Whether all existing attributes should be passed down to the query builder map and be used in the construction of the filter.
-
-
Class org.apereo.cas.configuration.model.support.ldap.LdapSearchEntryHandlersProperties
class LdapSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- -5198990160347131821L
-
Serialized Fields
-
caseChange
CaseChangeSearchEntryHandlersProperties caseChange
Provides the ability to modify the case of search entry DNs, attribute names, and attribute values. -
dnAttribute
DnAttributeSearchEntryHandlersProperties dnAttribute
Adds the entry DN as an attribute to the result set. Provides a client side implementation of RFC 5020. -
mergeAttribute
MergeAttributesSearchEntryHandlersProperties mergeAttribute
Merges the values of one or more attributes into a single attribute. The merged attribute may or may not already exist on the entry. If it does exist it's existing values will remain intact. -
primaryGroupId
PrimaryGroupIdSearchEntryHandlersProperties primaryGroupId
Constructs the primary group SID and then searches for that group and puts it's DN in thememberOf
attribute of the original search entry. This handler requires that entries contain both theobjectSid/primaryGroupID
attributes. If those attributes are not found this handler is a no-op. This handler should be used in conjunction with theObjectSidHandler
to ensure theobjectSid
attribute is in the proper form. See this. -
recursive
RecursiveSearchEntryHandlersProperties recursive
This recursively searches based on a supplied attribute and merges those results into the original entry. -
searchReferral
FollowReferralSearchEntryHandlersProperties searchReferral
Provides handling of an ldap referral for search operations. -
searchResult
FollowResultSearchEntryHandlersProperties searchResult
Provides handling of an ldap continuation reference for search operations. -
type
LdapSearchEntryHandlersProperties.SearchEntryHandlerTypes type
The type of search entry handler to choose.
-
-
Class org.apereo.cas.configuration.model.support.ldap.LdapValidatorProperties
class LdapValidatorProperties extends Object implements Serializable- serialVersionUID:
- 1150417354213235193L
-
Serialized Fields
-
attributeName
String attributeName
Attribute name to use for the compare validator. -
attributeValue
String attributeValue
Attribute values to use for the compare validator. -
baseDn
String baseDn
Base DN to use for the search request of the search validator. -
dn
String dn
DN to compare to use for the compare validator. -
scope
String scope
Search scope to use for the search request of the search validator. -
searchFilter
String searchFilter
Search filter to use for the search request of the search validator. -
type
String type
Determine the LDAP validator type.The following LDAP validators can be used to test connection health status:
search
: Validates a connection is healthy by performing a search operation. Validation is considered successful if the search result size is greater than zero.none
: No validation takes place.compare
: Validates a connection is healthy by performing a compare operation.
-
-
Class org.apereo.cas.configuration.model.support.ldap.MergeAttributesSearchEntryHandlersProperties
class MergeAttributesSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- -3988972992084584349L
-
Class org.apereo.cas.configuration.model.support.ldap.PrimaryGroupIdSearchEntryHandlersProperties
class PrimaryGroupIdSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- 539574118704476712L
-
Class org.apereo.cas.configuration.model.support.ldap.RecursiveSearchEntryHandlersProperties
class RecursiveSearchEntryHandlersProperties extends Object implements Serializable- serialVersionUID:
- 7138108925310792763L
-
-
Package org.apereo.cas.configuration.model.support.ldap.serviceregistry
-
Class org.apereo.cas.configuration.model.support.ldap.serviceregistry.LdapServiceRegistryProperties
class LdapServiceRegistryProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 2372867394066286022L
-
Serialized Fields
-
idAttribute
String idAttribute
ID attribute used for the registered service entry in LDAP to keep track of the service numeric identifier. -
loadFilter
String loadFilter
The load filter used to load entries by theLdapServiceRegistryProperties.objectClass
. This is typically used to load all definitions that might be mapped to a service definition. The search filter used to load entries by theLdapServiceRegistryProperties.idAttribute
. This is typically used to load a specific service definition by its id during search operations. -
objectClass
String objectClass
Object class used for the registered service entry in LDAP. -
serviceDefinitionAttribute
String serviceDefinitionAttribute
Service definition attribute used for the registered service entry in LDAP to keep a representation of the service body.
-
-
-
Package org.apereo.cas.configuration.model.support.memcached
-
Class org.apereo.cas.configuration.model.support.memcached.BaseMemcachedProperties
class BaseMemcachedProperties extends Object implements Serializable- serialVersionUID:
- 514520518053691666L
-
Serialized Fields
-
daemon
boolean daemon
Deprecated.Set the daemon state of the IO thread (defaults to true). -
failureMode
String failureMode
Deprecated.Failure mode. Acceptable values areRedistribute,Retry,Cancel
. -
hashAlgorithm
String hashAlgorithm
Deprecated.Hash algorithm. Acceptable values areNATIVE_HASH,CRC_HASH,FNV1_64_HASH,FNV1A_64_HASH,FNV1_32_HASH,FNV1A_32_HASH,KETAMA_HASH
. -
kryoAutoReset
boolean kryoAutoReset
Deprecated.If true,reset
is called automatically after an entire object graph has been read or written. If false,reset
must be called manually, which allows unregistered class names, references, and other information to span multiple object graphs. -
kryoObjectsByReference
boolean kryoObjectsByReference
Deprecated.If true, each appearance of an object in the graph after the first is stored as an integer ordinal. When set to true,MapReferenceResolver
is used. This enables references to the same object and cyclic graphs to be serialized, but typically adds overhead of one byte per object. -
kryoRegistrationRequired
boolean kryoRegistrationRequired
Deprecated.If true, an exception is thrown when an unregistered class is encountered.If false, when an unregistered class is encountered, its fully qualified class name will be serialized and the default serializer for the class used to serialize the object. Subsequent appearances of the class within the same object graph are serialized as an int id. Registered classes are serialized as an int id, avoiding the overhead of serializing the class name, but have the drawback of needing to know the classes to be serialized up front. See
ComponentSerializationPlan
for help here. -
locatorType
String locatorType
Deprecated.Locator mode. Acceptable values areARRAY_MOD, CONSISTENT, VBUCKET
. -
maxIdle
int maxIdle
Deprecated.Set the value for the maxTotal configuration attribute for pools created with this configuration instance. -
maxReconnectDelay
long maxReconnectDelay
Deprecated.Set the maximum reconnect delay. -
maxTotal
int maxTotal
Deprecated.Sets the cap on the number of objects that can be allocated by the pool (checked out to clients, or idle awaiting checkout) at a given time. Use a negative value for no limit. -
minIdle
int minIdle
Deprecated.Get the value for the minIdle configuration attribute for pools created with this configuration instance. -
opTimeout
long opTimeout
Deprecated.Set the default operation timeout in milliseconds. -
protocol
String protocol
Deprecated.Protocol. Acceptable values areTEXT, BINARY
. -
servers
String servers
Deprecated.Comma-separated list of memcached servers. -
shouldOptimize
boolean shouldOptimize
Deprecated.Set to false if the default operation optimization is not desirable. -
shutdownTimeoutSeconds
long shutdownTimeoutSeconds
Deprecated.The number of seconds to wait for connections to finish before shutting down the client. -
timeoutExceptionThreshold
int timeoutExceptionThreshold
Deprecated.Set the maximum timeout exception threshold. -
transcoder
BaseMemcachedProperties.TranscoderTypes transcoder
Deprecated.Indicate the transcoder type. -
transcoderCompressionThreshold
int transcoderCompressionThreshold
Deprecated.For transcoders other than kryo, determines the compression threshold. Does not apply to kryo. -
useNagleAlgorithm
boolean useNagleAlgorithm
Deprecated.Set to true if you'd like to enable the Nagle algorithm.
-
-
Class org.apereo.cas.configuration.model.support.memcached.MemcachedTicketRegistryProperties
class MemcachedTicketRegistryProperties extends BaseMemcachedProperties implements Serializable- serialVersionUID:
- 509520518053691786L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Deprecated.Crypto settings for the registry.
-
-
-
Package org.apereo.cas.configuration.model.support.mfa
-
Class org.apereo.cas.configuration.model.support.mfa.AuthenticationAttributeMultifactorAuthenticationProperties
class AuthenticationAttributeMultifactorAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 6426521468929733907L
-
Serialized Fields
-
globalAuthenticationAttributeNameTriggers
String globalAuthenticationAttributeNameTriggers
MFA can be triggered for all users/subjects whose authentication event/metadata has resolved a specific attribute that matches one of the below conditions:- Trigger MFA based on a authentication attribute(s) whose value(s) matches a regex pattern. Note that this behavior is only applicable if there is only a single MFA provider configured, since that would allow CAS to know what provider to next activate.
- Trigger MFA based on a authentication attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibility of assigning provider ids to attributes as values.
-
globalAuthenticationAttributeValueRegex
String globalAuthenticationAttributeValueRegex
The regular expression that is cross matches against the authentication attribute to determine if the account is qualified for multifactor authentication.
-
-
Class org.apereo.cas.configuration.model.support.mfa.BaseMultifactorAuthenticationProviderProperties
class BaseMultifactorAuthenticationProviderProperties extends Object implements Serializable- serialVersionUID:
- -2690281104343633871L
-
Serialized Fields
-
bypass
MultifactorAuthenticationProviderBypassProperties bypass
Multifactor bypass options for this provider. Each multifactor provider is equipped with options to allow for MFA bypass. Once the provider is chosen to honor the authentication request, bypass rules are then consulted to calculate whether the provider should ignore the request and skip MFA conditionally. -
failureMode
BaseMultifactorAuthenticationProviderProperties.MultifactorAuthenticationProviderFailureModes failureMode
The failure mode policy for this MFA provider. The authentication policy by default supports fail-closed mode, which means that if you attempt to exercise a particular provider available to CAS and the provider cannot be reached, authentication will be stopped and an error will be displayed. You can of course change this behavior so that authentication proceeds without exercising the provider functionality, if that provider cannot respond. Each defined multifactor authentication provider can set its own failure mode policy. Failure modes set at this location will override the global failure mode, but defer to any failure mode set by the registered service. -
id
String id
The identifier for the multifactor provider. In most cases, this need not be configured explicitly, unless multiple instances of the same provider type are configured in CAS. -
name
String name
The name of the authentication handler used to verify credentials in MFA. Remember that if you have more than one authentication handler of the same type, the names must be defined uniquely for each authentication scheme. Failing to do so may force CAS to not register authentication handlers with a duplicate name. -
order
int order
The order of the authentication handler in the chain. -
rank
int rank
At times, CAS needs to determine the correct provider when step-up authentication is required. Consider for a moment that CAS already has established an SSO session with/without a provider and has reached a level of authentication. Another incoming request attempts to exercise that SSO session with a different and often competing authentication requirement that may differ from the authentication level CAS has already established. Concretely, examples may be:- CAS has achieved an SSO session, but a separate request now requires step-up authentication with DuoSecurity.
- CAS has achieved an SSO session with an authentication level satisfied by DuoSecurity, but a separate request now requires step-up authentication with YubiKey.
-
-
Class org.apereo.cas.configuration.model.support.mfa.GlobalMultifactorAuthenticationProperties
class GlobalMultifactorAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 5426522468929733907L
-
Serialized Fields
-
globalProviderId
String globalProviderId
MFA can be triggered for all applications and users regardless of individual settings. This setting holds the value of an MFA provider that shall be activated for all requests, regardless. Multiple provider identifiers can be specified here via a comma-separated syntax which may force CAS to launch into a provider selection and resolution flow.
-
-
Class org.apereo.cas.configuration.model.support.mfa.GroovyMultifactorAuthenticationProviderBypassProperties
class GroovyMultifactorAuthenticationProviderBypassProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.support.mfa.GrouperMultifactorAuthenticationProperties
class GrouperMultifactorAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 6426522468929733907L
-
Serialized Fields
-
grouperGroupField
String grouperGroupField
MFA can be triggered by Grouper groups to which the authenticated principal is assigned. Groups are collected by CAS and then cross-checked against all available/configured MFA providers. The group’s comparing factor MUST be defined in CAS to activate this behavior and it can be based on the group’s name, display name, etc where a successful match against a provider id shall activate the chosen MFA provider.
-
-
Class org.apereo.cas.configuration.model.support.mfa.InweboMultifactorAuthenticationProperties
class InweboMultifactorAuthenticationProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- -942637204816051814L
-
Serialized Fields
-
browserAuthenticator
InweboMultifactorAuthenticationProperties.BrowserAuthenticatorTypes browserAuthenticator
The browser authenticator to use (or none). -
clientCertificate
ClientCertificateProperties clientCertificate
The client certificate. -
consoleAdminUrl
String consoleAdminUrl
Console admin API url. -
pushAuto
boolean pushAuto
Whether the push authentication should happen directly (without proposing the browser authentication if defined). -
pushEnabled
boolean pushEnabled
Whether the push notification (mobile/desktop) is enabled. -
serviceApiUrl
String serviceApiUrl
The service API url. -
serviceId
Long serviceId
The Inwebo service id. -
siteAlias
String siteAlias
The alias of the secured site. -
siteDescription
String siteDescription
The description of the secured site. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationCoreProperties
class MultifactorAuthenticationCoreProperties extends Object implements Serializable- serialVersionUID:
- 7426521468929733907L
-
Serialized Fields
-
authenticationContextAttribute
String authenticationContextAttribute
Attribute returned in the final CAS validation payload that indicates the authentication context class satisfied in the event of a multifactor authentication attempt. -
contentType
String contentType
Content-type that is expected to be specified by non-web clients such as curl, etc in the event that the provider supports variations of non-browser based MFA. The value is treated as a regular expression. -
globalFailureMode
BaseMultifactorAuthenticationProviderProperties.MultifactorAuthenticationProviderFailureModes globalFailureMode
Defines the global failure mode for the entire deployment. This is meant to be used a shortcut to define the policy globally rather than per application. Applications registered with CAS can still define a failure mode and override the global. -
providerSelection
MultifactorAuthenticationProviderSelectionProperties providerSelection
In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, the collection of settings here control mfa selection rules.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationHttpTriggerProperties
class MultifactorAuthenticationHttpTriggerProperties extends Object implements Serializable- serialVersionUID:
- 5511521468929733907L
-
Serialized Fields
-
requestHeader
String requestHeader
MFA can be triggered for a specific authentication request, provided the initial request to the CAS /login endpoint contains a request header that indicates the required MFA authentication flow. The header name is configurable, but its value must match the authentication provider id of an available MFA provider. -
requestParameter
String requestParameter
MFA can be triggered for a specific authentication request, provided the initial request to the CAS /login endpoint contains a parameter that indicates the required MFA authentication flow. The parameter name is configurable, but its value must match the authentication provider id of an available MFA provider. -
sessionAttribute
String sessionAttribute
MFA can be triggered for a specific authentication request, provided the request contains a session/request attribute that indicates the required MFA authentication flow. The attribute name is configurable, but its value must match the authentication provider id of an available MFA provider.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProperties
class MultifactorAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 7416521468929733907L
-
Serialized Fields
-
core
MultifactorAuthenticationCoreProperties core
Multifactor authentication core/common settings. -
duo
List<DuoSecurityMultifactorAuthenticationProperties> duo
Activate and configure a multifactor authentication provider via Duo Security. -
gauth
GoogleAuthenticatorMultifactorProperties gauth
Activate and configure a multifactor authentication provider via Google Authenticator. -
groovyScript
SpringResourceProperties groovyScript
MFA can be triggered based on the results of a groovy script of your own design. The outcome of the script should determine the MFA provider id that CAS should attempt to activate. -
inwebo
InweboMultifactorAuthenticationProperties inwebo
Activate and configure a multifactor authentication provider via Inwebo. -
radius
RadiusMultifactorAuthenticationProperties radius
Activate and configure a multifactor authentication provider via RADIUS. -
simple
CasSimpleMultifactorAuthenticationProperties simple
Activate and configure a multifactor authentication provider via CAS itself. -
triggers
MultifactorAuthenticationTriggersProperties triggers
Multifactor authentication core/common settings for triggering mfa. -
trusted
TrustedDevicesMultifactorProperties trusted
Activate and configure a multifactor authentication with the capability to trust and remember devices. -
webAuthn
WebAuthnMultifactorAuthenticationProperties webAuthn
Activate and configure a multifactor authentication provider via WebAuthN. -
yubikey
YubiKeyMultifactorAuthenticationProperties yubikey
Activate and configure a multifactor authentication provider via YubiKey.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProviderBypassProperties
class MultifactorAuthenticationProviderBypassProperties extends Object implements Serializable- serialVersionUID:
- -9181362378365850397L
-
Serialized Fields
-
authenticationAttributeName
String authenticationAttributeName
Skip multifactor authentication based on designated authentication attribute names. -
authenticationAttributeValue
String authenticationAttributeValue
Optionally, skip multifactor authentication based on designated authentication attribute values. Multiple values may be separated by a comma. -
authenticationHandlerName
String authenticationHandlerName
Skip multifactor authentication depending on form of primary authentication execution. Specifically, skip multifactor if the a particular authentication handler noted by its name successfully is able to authenticate credentials in the primary factor. Multiple values may be separated by a comma. -
authenticationMethodName
String authenticationMethodName
Skip multifactor authentication depending on method/form of primary authentication execution. Specifically, skip multifactor if the authentication method attribute collected as part of authentication metadata matches a certain value. Multiple values may be separated by a comma. -
credentialClassType
String credentialClassType
Skip multifactor authentication depending on form of primary credentials. Value must equal the fully qualified class name of the credential type. -
groovy
GroovyMultifactorAuthenticationProviderBypassProperties groovy
Handle bypass using a Groovy resource. -
httpRequestHeaders
String httpRequestHeaders
Skip multifactor authentication if the http request contains the defined header names. Header names may be comma-separated and can be regular expressions; values are ignored. -
httpRequestRemoteAddress
String httpRequestRemoteAddress
Skip multifactor authentication if the http request's remote address or host matches the value defined here. The value may be specified as a regular expression. -
principalAttributeName
String principalAttributeName
Skip multifactor authentication based on designated principal attribute names. -
principalAttributeValue
String principalAttributeValue
Optionally, skip multifactor authentication based on designated principal attribute values. -
rest
RestfulMultifactorAuthenticationProviderBypassProperties rest
Handle bypass using a REST endpoint.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProviderSelectionCookieProperties
class MultifactorAuthenticationProviderSelectionCookieProperties extends PinnableCookieProperties implements Serializable- serialVersionUID:
- 6265362204295764362L
-
Serialized Fields
-
autoConfigureCookiePath
boolean autoConfigureCookiePath
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that determine how the cookie should be signed and encrypted. -
enabled
boolean enabled
Whether MFA selection should be remembered with cookies.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProviderSelectionProperties
class MultifactorAuthenticationProviderSelectionProperties extends Object implements Serializable- serialVersionUID:
- 7426521468929733907L
-
Serialized Fields
-
cookie
MultifactorAuthenticationProviderSelectionCookieProperties cookie
Cookie settings that control how the selected mfa provider should be remembered. -
providerSelectionEnabled
boolean providerSelectionEnabled
In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, this setting will allow one to interactively choose a provider out of the list of available providers. A trigger may be designed to support more than one provider, and rather than letting CAS auto-determine the selected provider via scripts or ranking strategies, this method puts the choice back onto the user to decide which provider makes the most sense at any given time. -
providerSelectorGroovyScript
SpringResourceProperties providerSelectorGroovyScript
In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, by default CAS will attempt to sort the collection of providers based on their rank and will pick one with the highest priority. This use case may arise if multiple triggers are defined where each decides on a different multifactor authentication provider, or the same provider instance is configured multiple times with many instances. Provider selection may also be carried out using Groovy scripting strategies more dynamically. The following example should serve as an outline of how to select multifactor providers based on a Groovy script.
-
-
Class org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationTriggersProperties
class MultifactorAuthenticationTriggersProperties extends Object implements Serializable- serialVersionUID:
- 7410521468929733907L
-
Serialized Fields
-
authentication
AuthenticationAttributeMultifactorAuthenticationProperties authentication
Activate MFA based on properties or attributes of the authentication. -
global
GlobalMultifactorAuthenticationProperties global
Activate MFA globally. -
grouper
GrouperMultifactorAuthenticationProperties grouper
Activate MFA based on grouper integration. -
http
MultifactorAuthenticationHttpTriggerProperties http
MFA triggers that operate based on the http request properties. -
principal
PrincipalAttributeMultifactorAuthenticationProperties principal
Activate MFA based on properties or attributes of the principal. -
rest
RestfulMultifactorAuthenticationProperties rest
MFA can be triggered based on the results of a remote REST endpoint of your design. If the endpoint is configured, CAS shall issue a POST, providing the principal and the service url. The body of the response in the event of a successful 200 status code is expected to be the MFA provider id which CAS should activate.
-
-
Class org.apereo.cas.configuration.model.support.mfa.PrincipalAttributeMultifactorAuthenticationProperties
class PrincipalAttributeMultifactorAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 7426521468929733907L
-
Serialized Fields
-
denyIfUnmatched
boolean denyIfUnmatched
Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication. -
globalPrincipalAttributeNameTriggers
String globalPrincipalAttributeNameTriggers
MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.- Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this behavior is only applicable if there is only a single MFA provider configured, since that would allow CAS to know what provider to next activate.
- Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibility of assigning provider ids to attributes as values.
-
globalPrincipalAttributePredicate
SpringResourceProperties globalPrincipalAttributePredicate
This is a more generic variant of thePrincipalAttributeMultifactorAuthenticationProperties.globalPrincipalAttributeNameTriggers
. It may be useful in cases where there is more than one provider configured and available in the application runtime and you need to design a strategy to dynamically decide on the provider that should be activated for the request. The decision is handed off to a Predicate implementation that define in a Groovy script whose location is taught to CAS. -
globalPrincipalAttributeValueRegex
String globalPrincipalAttributeValueRegex
The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication. Matching and comparison operations are case insensitive. -
reverseMatch
boolean reverseMatch
Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values. If you are looking to reverse that behavior and trigger MFA when the attribute value does NOT match the given pattern, then set this flag totrue
. This option does not apply when a predicate trigger is used to decide on the provider, and is only relevant whenPrincipalAttributeMultifactorAuthenticationProperties.globalPrincipalAttributeNameTriggers
andPrincipalAttributeMultifactorAuthenticationProperties.globalPrincipalAttributeValueRegex
are used.
-
-
Class org.apereo.cas.configuration.model.support.mfa.RadiusMultifactorAuthenticationProperties
class RadiusMultifactorAuthenticationProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- 7021301814775348087L
-
Serialized Fields
-
allowedAuthenticationAttempts
long allowedAuthenticationAttempts
Total number of allowed authentication attempts with the radius mfa server before the authentication event is considered cancelled. A negative/zero value indicates that no limit is enforced. -
client
RadiusClientProperties client
RADIUS client settings. -
failoverOnAuthenticationFailure
boolean failoverOnAuthenticationFailure
In the event that radius authentication fails, fail over to the next server in the list. -
failoverOnException
boolean failoverOnException
In the event that radius authentication fails due to a catastrophic event, fail over to the next server in the list. -
server
RadiusServerProperties server
RADIUS server settings. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices.
-
-
Class org.apereo.cas.configuration.model.support.mfa.RestfulMultifactorAuthenticationProperties
class RestfulMultifactorAuthenticationProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 3659099897056632608L
-
Class org.apereo.cas.configuration.model.support.mfa.RestfulMultifactorAuthenticationProviderBypassProperties
class RestfulMultifactorAuthenticationProviderBypassProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 1833594332973137011L
-
-
Package org.apereo.cas.configuration.model.support.mfa.duo
-
Class org.apereo.cas.configuration.model.support.mfa.duo.DuoSecurityMultifactorAuthenticationProperties
class DuoSecurityMultifactorAuthenticationProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- -4655375354167880807L
-
Serialized Fields
-
accountStatusEnabled
boolean accountStatusEnabled
When set totrue
, CAS will contact Duo Security to check for user's account status and to evaluate whether user qualifies for multifactor authentication from Duo's perspective. When disabled, user account status is set to authenticate with Duo and the API call will never be made. -
duoAdminIntegrationKey
String duoAdminIntegrationKey
Duo admin integration key. -
duoAdminSecretKey
String duoAdminSecretKey
Duo admin secret key. -
duoApiHost
String duoApiHost
Duo API host and url. -
duoIntegrationKey
String duoIntegrationKey
Duo integration key. -
duoSecretKey
String duoSecretKey
Duo secret key. -
registration
DuoSecurityMultifactorAuthenticationRegistrationProperties registration
Settings for Duo registration of unenrolled accounts. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices.
-
-
Class org.apereo.cas.configuration.model.support.mfa.duo.DuoSecurityMultifactorAuthenticationRegistrationProperties
class DuoSecurityMultifactorAuthenticationRegistrationProperties extends Object implements Serializable- serialVersionUID:
- -1655375354167880807L
-
Serialized Fields
-
crypto
EncryptionOptionalSigningOptionalJwtCryptographyProperties crypto
Crypto settings on duo registration payloads and redirects to the url. -
registrationUrl
String registrationUrl
Link to a registration app, typically developed in-house in order to allow new users to sign-up for duo functionality. If the user account status requires enrollment and this link is specified, CAS will redirect the authentication flow to this registration app. Otherwise, the default duo mechanism for new-user registrations shall take over. Upon redirecting to the registration app, CAS would also build aprincipal
parameter into the registration URL, typically in form of a JSON web token that conveys the user's identity. This JWT can be signed and/or encrypted using settings defined via theDuoSecurityMultifactorAuthenticationRegistrationProperties.getCrypto()
configuration block here.
-
-
-
Package org.apereo.cas.configuration.model.support.mfa.gauth
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.CoreGoogleAuthenticatorMultifactorProperties
class CoreGoogleAuthenticatorMultifactorProperties extends Object implements Serializable- serialVersionUID:
- -7451748853833491119L
-
Serialized Fields
-
codeDigits
int codeDigits
Length of the generated code. -
issuer
String issuer
Issuer used in the barcode when dealing with device registration events. Used in the registration URL to identify CAS. -
label
String label
Label used in the barcode when dealing with device registration events. Used in the registration URL to identify CAS. -
multipleDeviceRegistrationEnabled
boolean multipleDeviceRegistrationEnabled
When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically. -
scratchCodes
GoogleAuthenticatorMultifactorScratchCodeProperties scratchCodes
Scratch code settings. -
timeStepSize
long timeStepSize
The expiration time of the generated code in seconds. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices. -
windowSize
int windowSize
Since TOTP passwords are time-based, it is essential that the clock of both the server and the client are synchronised within the tolerance defined here as the window size.
-
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.DynamoDbGoogleAuthenticatorMultifactorProperties
class DynamoDbGoogleAuthenticatorMultifactorProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- -1161683393319585262L
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.GoogleAuthenticatorMultifactorProperties
class GoogleAuthenticatorMultifactorProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- -7401748853833491119L
-
Serialized Fields
-
cleaner
ScheduledJobProperties cleaner
Control how stale expired tokens should be cleared from the underlying store. -
core
CoreGoogleAuthenticatorMultifactorProperties core
Core/common settings for Google Multifactor authentication. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the records. -
dynamoDb
DynamoDbGoogleAuthenticatorMultifactorProperties dynamoDb
Store google authenticator devices inside a DynamoDb instance. -
jpa
JpaGoogleAuthenticatorMultifactorProperties jpa
Store google authenticator devices inside a jdbc instance. -
json
JsonGoogleAuthenticatorMultifactorProperties json
Store google authenticator devices inside a json file. -
ldap
LdapGoogleAuthenticatorMultifactorProperties ldap
Store google authenticator devices inside a LDAP directories. -
mongo
MongoDbGoogleAuthenticatorMultifactorProperties mongo
Store google authenticator devices inside a MongoDb instance. -
redis
RedisGoogleAuthenticatorMultifactorProperties redis
Store google authenticator devices via Redis. -
rest
RestfulGoogleAuthenticatorMultifactorProperties rest
Store google authenticator devices via a rest interface.
-
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.GoogleAuthenticatorMultifactorScratchCodeProperties
class GoogleAuthenticatorMultifactorScratchCodeProperties extends Object implements Serializable- serialVersionUID:
- 8740203143088539401L
-
Serialized Fields
-
encryption
EncryptionRandomizedCryptoProperties encryption
Settings that deal with encryption of values.
-
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.JpaGoogleAuthenticatorMultifactorProperties
class JpaGoogleAuthenticatorMultifactorProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -2689797889546802618L
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.JsonGoogleAuthenticatorMultifactorProperties
class JsonGoogleAuthenticatorMultifactorProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 4303355159388663888L
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.LdapGoogleAuthenticatorMultifactorProperties
class LdapGoogleAuthenticatorMultifactorProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -100556119517414696L
-
Serialized Fields
-
accountAttributeName
String accountAttributeName
Name of LDAP attribute that holds GAuth account/credential as JSON.
-
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.MongoDbGoogleAuthenticatorMultifactorProperties
class MongoDbGoogleAuthenticatorMultifactorProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -200556119517414696L
-
Serialized Fields
-
tokenCollection
String tokenCollection
Collection name where tokens are kept to prevent replay attacks.
-
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.RedisGoogleAuthenticatorMultifactorProperties
class RedisGoogleAuthenticatorMultifactorProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -1260683393319585262L
-
Class org.apereo.cas.configuration.model.support.mfa.gauth.RestfulGoogleAuthenticatorMultifactorProperties
class RestfulGoogleAuthenticatorMultifactorProperties extends BaseRestEndpointProperties implements Serializable- serialVersionUID:
- 4518622579150572559L
-
Serialized Fields
-
tokenUrl
String tokenUrl
Endpoint url of the REST resource used for tokens that are kept to prevent replay attacks.
-
-
-
Package org.apereo.cas.configuration.model.support.mfa.simple
-
Class org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationBucket4jProperties
class CasSimpleMultifactorAuthenticationBucket4jProperties extends BaseBucket4jProperties implements Serializable- serialVersionUID:
- -2432886337199727140L
-
Class org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationProperties
class CasSimpleMultifactorAuthenticationProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- -9211748853833491119L
-
Serialized Fields
-
bucket4j
CasSimpleMultifactorAuthenticationBucket4jProperties bucket4j
Settings related to throttling requests using bucket4j. -
mail
EmailProperties mail
Email settings for notifications. -
phone
PhoneProperties phone
Phone call settings for notifications. -
sms
SmsProperties sms
SMS settings for notifications. -
token
CasSimpleMultifactorAuthenticationTokenProperties token
Properties related to token management and policy. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices.
-
-
Class org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationTokenProperties
class CasSimpleMultifactorAuthenticationTokenProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- -6333748853833491119L
-
Serialized Fields
-
core
CoreCasSimpleMultifactorAuthenticationTokenProperties core
Settings for token management when tokens are managed by CAS itself. -
rest
RestfulCasSimpleMultifactorAuthenticationTokenProperties rest
Settings for token management when tokens are managed by a REST endpoint/API.
-
-
Class org.apereo.cas.configuration.model.support.mfa.simple.CoreCasSimpleMultifactorAuthenticationTokenProperties
class CoreCasSimpleMultifactorAuthenticationTokenProperties extends Object implements Serializable- serialVersionUID:
- -6333748853833491119L
-
Serialized Fields
-
timeToKillInSeconds
long timeToKillInSeconds
Time in seconds that CAS tokens should be considered live in CAS server. -
tokenLength
int tokenLength
The length of the generated token.
-
-
Class org.apereo.cas.configuration.model.support.mfa.simple.RestfulCasSimpleMultifactorAuthenticationTokenProperties
class RestfulCasSimpleMultifactorAuthenticationTokenProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -6333748853833491119L
-
-
Package org.apereo.cas.configuration.model.support.mfa.trusteddevice
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.BaseDeviceFingerprintComponentProperties
class BaseDeviceFingerprintComponentProperties extends Object implements Serializable- serialVersionUID:
- 46126170193036440L
-
Serialized Fields
-
enabled
boolean enabled
Is this component enabled or not. -
order
int order
Indicates the order of components when generating a device fingerprint.
-
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.DeviceFingerprintProperties
class DeviceFingerprintProperties extends Object implements Serializable- serialVersionUID:
- 747021103142441353L
-
Serialized Fields
-
clientIp
DeviceFingerprintProperties.ClientIp clientIp
Configure usage of client ip within trusted device fingerprints. -
componentSeparator
String componentSeparator
Component Separator for device fingerprints. -
cookie
DeviceFingerprintProperties.Cookie cookie
Configure usage of a device cookie within trusted device fingerprints. -
geolocation
DeviceFingerprintProperties.GeoLocation geolocation
Configure usage of geo-location within trusted device fingerprints. -
userAgent
DeviceFingerprintProperties.UserAgent userAgent
Configure usage of User-Agent header within trusted device fingerprints.
-
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.DeviceFingerprintProperties.ClientIp
class ClientIp extends BaseDeviceFingerprintComponentProperties implements Serializable- serialVersionUID:
- 785014133279201757L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.DeviceFingerprintProperties.Cookie
class Cookie extends CookieProperties implements Serializable- serialVersionUID:
- -9022498833437602657L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the cookie value stored on the client machine. -
enabled
boolean enabled
Is this component enabled or not. -
order
int order
Indicates the order of components when generating a device fingerprint.
-
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.DeviceFingerprintProperties.GeoLocation
class GeoLocation extends BaseDeviceFingerprintComponentProperties implements Serializable- serialVersionUID:
- -4125531035180836136L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.DeviceFingerprintProperties.UserAgent
class UserAgent extends BaseDeviceFingerprintComponentProperties implements Serializable- serialVersionUID:
- -5325531035180836136L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.JpaTrustedDevicesMultifactorProperties
class JpaTrustedDevicesMultifactorProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -8329950619696176349L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.JsonTrustedDevicesMultifactorProperties
class JsonTrustedDevicesMultifactorProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- -8690563713141571620L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.MongoDbTrustedDevicesMultifactorProperties
class MongoDbTrustedDevicesMultifactorProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- 4940497540189318943L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.RedisTrustedDevicesMultifactorProperties
class RedisTrustedDevicesMultifactorProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -2261683393319585262L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.RestfulTrustedDevicesMultifactorProperties
class RestfulTrustedDevicesMultifactorProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 3659099897056632608L
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.TrustedDevicesMultifactorCoreProperties
class TrustedDevicesMultifactorCoreProperties extends Object implements Serializable- serialVersionUID:
- 1585013239016790473L
-
Serialized Fields
-
authenticationContextAttribute
String authenticationContextAttribute
If an MFA request is bypassed due to a trusted authentication decision, applications will receive a special attribute as part of the validation payload that indicates this behavior. Applications must further account for the scenario where they ask for an MFA mode and yet don’t receive confirmation of it in the response given the authentication session was trusted and MFA bypassed. -
autoAssignDeviceName
boolean autoAssignDeviceName
When device registration is enabled, indicate whether a device name should be automatically selected and assigned by CAS. -
deviceRegistrationEnabled
boolean deviceRegistrationEnabled
Indicates whether CAS should ask for device registration consent or execute it automatically.
-
-
Class org.apereo.cas.configuration.model.support.mfa.trusteddevice.TrustedDevicesMultifactorProperties
class TrustedDevicesMultifactorProperties extends Object implements Serializable- serialVersionUID:
- 1505013239016790473L
-
Serialized Fields
-
cleaner
ScheduledJobProperties cleaner
Settings that control the background cleaner process. -
core
TrustedDevicesMultifactorCoreProperties core
Trusted devices core settings. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the device records. -
deviceFingerprint
DeviceFingerprintProperties deviceFingerprint
Configure how device fingerprints are generated. -
dynamoDb
DynamoDbTrustedDevicesMultifactorProperties dynamoDb
Store devices records inside DynamoDb. -
jpa
JpaTrustedDevicesMultifactorProperties jpa
Store devices records via JDBC resources. -
json
JsonTrustedDevicesMultifactorProperties json
Record trusted devices via a JSON resource. -
mongo
MongoDbTrustedDevicesMultifactorProperties mongo
Store devices records inside MongoDb. -
redis
RedisTrustedDevicesMultifactorProperties redis
Store devices records inside Redis. -
rest
RestfulTrustedDevicesMultifactorProperties rest
Store devices records via REST.
-
-
-
Package org.apereo.cas.configuration.model.support.mfa.webauthn
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnDynamoDbMultifactorProperties
class WebAuthnDynamoDbMultifactorProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- -2261683393319585262L
-
Serialized Fields
-
tableName
String tableName
The table name used and created by CAS to hold records in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnJpaMultifactorProperties
class WebAuthnJpaMultifactorProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -4114840263678287815L
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnJsonMultifactorProperties
class WebAuthnJsonMultifactorProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- -1283660787308509919L
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnLdapMultifactorProperties
class WebAuthnLdapMultifactorProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -1161683393319585262L
-
Serialized Fields
-
accountAttributeName
String accountAttributeName
Name of LDAP attribute that holds WebAuthn account/credential as JSON.
-
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMongoDbMultifactorProperties
class WebAuthnMongoDbMultifactorProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- 6876845341227039713L
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAttestationTrustSourceFidoProperties
class WebAuthnMultifactorAttestationTrustSourceFidoProperties extends Object implements Serializable- serialVersionUID:
- -6224841263678287815L
-
Serialized Fields
-
blobCacheFile
File blobCacheFile
Cache metadata BLOB in the file cache file. If cache file exists, is a normal file, is readable, and is not out of date, then it will be used as the FIDO Metadata Service BLOB.Otherwise, the metadata BLOB will be downloaded and written to this file.
-
legalHeader
String legalHeader
Set legal headers expected in the metadata BLOB. By using the FIDO Metadata Service, you will be subject to its terms of service. This setting serves two purposes:To remind you and any adopters/reviewers that you need to read those terms of service before using this feature. To help you detect if the legal header changes, so you can take appropriate action.
If the legal header in the downloaded BLOB does not equal any of the expected headers, an exception will be thrown in the finalizing configuration step.
Note that CAS makes no guarantee that a change to the FIDO Metadata Service terms of service will also cause a change to the legal header in the BLOB.
The current legal header is noted by:
WebAuthnMultifactorAttestationTrustSourceFidoProperties.DEFAULT_LEGAL_HEADER
which is the following:
"Retrieval and use of this BLOB indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/"
. -
metadataBlobUrl
String metadataBlobUrl
Download the metadata BLOB from the FIDO website. This is the current FIDO Metadata Service BLOB download URL. -
trustRootCacheFile
File trustRootCacheFile
Cache the trust root certificate in the file cache file. If cache file exists, is a normal file, is readable, matches one of the SHA-256 hashes configured in and contains a currently valid X.509 certificate, then it will be used as the trust root for the FIDO Metadata Service blob.Otherwise, the trust root certificate will be downloaded and written to this file.
-
trustRootHash
String trustRootHash
Certificate SHA-256 hash required for PKI to verify the downloaded certificate. Separate hash values with a comma. -
trustRootUrl
String trustRootUrl
Certificate required for PKI to verify the downloaded blob. This is the current FIDO Metadata Service trust root certificate. If the cert is downloaded, it is also written to the cache File. The certificate will be downloaded if it does not exist in the cache, or if the cached certificate is not currently valid.
-
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAttestationTrustSourceProperties
class WebAuthnMultifactorAttestationTrustSourceProperties extends Object implements Serializable- serialVersionUID:
- -4224840263678287815L
-
Serialized Fields
-
fido
WebAuthnMultifactorAttestationTrustSourceFidoProperties fido
The FIDO Alliance Metadata Service (MDS) is a centralized repository of the Metadata Statement that is used by the relying parties to validate authenticator attestation and prove the genuineness of the device model. MDS also provides information about certification status of the authenticators, and found security issues. Organizations deploying FIDO Authentication are able to use this information to select specific certification levels as required for compliance, and work through the security notifications to ensure effective incident response. -
trustedDeviceMetadata
SpringResourceProperties trustedDeviceMetadata
Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service.
-
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationCoreProperties
class WebAuthnMultifactorAuthenticationCoreProperties extends Object implements Serializable- serialVersionUID:
- -919073482703977440L
-
Serialized Fields
-
allowedOrigins
String allowedOrigins
The allowed origins that returned authenticator responses will be compared against. The default is set to the server name. A successful registration or authentication operation requires origins to exactly equal one of these values. -
allowPrimaryAuthentication
boolean allowPrimaryAuthentication
Configure the authentication flow to allow web-authn to be used as the first primary factor for authentication. Registered accounts with a valid webauthn registration record can choose to login using their device as the first step. -
allowUntrustedAttestation
boolean allowUntrustedAttestation
If false finish registration op will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes self attestation and none attestation. Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true. -
applicationId
String applicationId
The extension input to set for theappid
extension when initiating authentication operations. If this member is set, starting an assertion op will automatically set theappid
extension input, and finish assertion op will adjust its verification logic to also accept this AppID as an alternative to the RP ID. By default, this is not set. -
attestationConveyancePreference
String attestationConveyancePreference
Accepted values are:DIRECT
,INDIRECT
,NONE
. The argument for the attestation parameter in registration operations. Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined. -
displayNameAttribute
String displayNameAttribute
Name of the principal attribute that indicates the principal's display name, primarily used for device registration. -
enabled
boolean enabled
Whether WebAuthn functionality should be activated and enabled. -
expireDevices
long expireDevices
Expire and forget device registration records after this period. -
expireDevicesTimeUnit
TimeUnit expireDevicesTimeUnit
Device registration record expiration time unit. -
multipleDeviceRegistrationEnabled
boolean multipleDeviceRegistrationEnabled
When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically. -
relyingPartyId
String relyingPartyId
The id that will be set as the rp parameter when initiating registration operations, and which id hash will be compared against. This is a required parameter. A successful registration or authentication operation requires rp id hash to exactly equal the SHA-256 hash of this id member. Alternatively, it may instead equal the SHA-256 hash of application id if the latter is present. -
relyingPartyName
String relyingPartyName
The human-palatable name of the Relaying Party. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices. -
trustSource
WebAuthnMultifactorAttestationTrustSourceProperties trustSource
Trusted device metadata to contain trusted attestation root certificates to pre-seed the metadata service. -
validateSignatureCounter
boolean validateSignatureCounter
If true, finish assertion op will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.
-
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationProperties
class WebAuthnMultifactorAuthenticationProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- 4211350313777066398L
-
Serialized Fields
-
cleaner
ScheduledJobProperties cleaner
Clean up expired records via a background cleaner process. -
core
WebAuthnMultifactorAuthenticationCoreProperties core
WebAuthn core settings. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Properties and settings related to device registration records and encryption. -
dynamoDb
WebAuthnDynamoDbMultifactorProperties dynamoDb
Store device registration records inside a dynamodb resource. -
jpa
WebAuthnJpaMultifactorProperties jpa
Store device registration records inside a JDBC resource. -
json
WebAuthnJsonMultifactorProperties json
Store device registration records inside a static JSON resource. -
ldap
WebAuthnLdapMultifactorProperties ldap
Store device registration records inside an LDAP directory.. -
mongo
WebAuthnMongoDbMultifactorProperties mongo
Keep device registration records inside a MongoDb resource. -
redis
WebAuthnRedisMultifactorProperties redis
Store device registration records inside a redis resource. -
rest
WebAuthnRestfulMultifactorProperties rest
Store device registration records via external REST APIs.
-
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties
class WebAuthnRedisMultifactorProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -2261683393319585262L
-
Class org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRestfulMultifactorProperties
class WebAuthnRestfulMultifactorProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -77291036299848782L
-
-
Package org.apereo.cas.configuration.model.support.mfa.yubikey
-
Class org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyDynamoDbMultifactorProperties
class YubiKeyDynamoDbMultifactorProperties extends AbstractDynamoDbProperties implements Serializable- serialVersionUID:
- 321667148774858855L
-
Serialized Fields
-
tableName
String tableName
The table name used and created by CAS to hold devices in DynamoDb.
-
-
Class org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyJpaMultifactorProperties
class YubiKeyJpaMultifactorProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -4420099402220880361L
-
Class org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyMongoDbMultifactorProperties
class YubiKeyMongoDbMultifactorProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- 6876845341227039713L
-
Class org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyMultifactorAuthenticationProperties
class YubiKeyMultifactorAuthenticationProperties extends BaseMultifactorAuthenticationProviderProperties implements Serializable- serialVersionUID:
- 9138057706201201089L
-
Serialized Fields
-
allowedDevices
Map<String,
String> allowedDevices Collection of allowed devices allowed per user. This is done using a key-value structure where the key is the user the value is the allowed collection of yubikey device ids. -
apiUrls
List<String> apiUrls
YubiKey API urls to contact for verification of credentials. -
clientId
Integer clientId
Yubikey client id. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the yubikey registration records. -
dynamoDb
YubiKeyDynamoDbMultifactorProperties dynamoDb
Keep device registration records inside a dynamo db resource. -
jpa
YubiKeyJpaMultifactorProperties jpa
Keep device registration records inside a JDBC resource. -
mongo
YubiKeyMongoDbMultifactorProperties mongo
Keep device registration records inside a MongoDb resource. -
multipleDeviceRegistrationEnabled
boolean multipleDeviceRegistrationEnabled
When enabled, allows the user/system to accept multiple accounts and device registrations per user, allowing one to switch between or register new devices/accounts automatically. -
redis
YubiKeyRedisMultifactorProperties redis
Keep device registration records inside a redis resource. -
rest
YubiKeyRestfulMultifactorProperties rest
Keep device registration records inside a rest api. -
secretKey
String secretKey
Yubikey secret key. -
trustedDeviceEnabled
boolean trustedDeviceEnabled
Indicates whether this provider should support trusted devices. -
validator
YubiKeyMultifactorAuthenticationProperties.YubiKeyDeviceValidationOptions validator
Define the strategy that controls how devices should be validated.
-
-
Class org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties
class YubiKeyRedisMultifactorProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -1261683393319585262L
-
Class org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRestfulMultifactorProperties
class YubiKeyRestfulMultifactorProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -33291036299848782L
-
-
Package org.apereo.cas.configuration.model.support.mongo
-
Class org.apereo.cas.configuration.model.support.mongo.BaseMongoDbProperties
class BaseMongoDbProperties extends Object implements Serializable- serialVersionUID:
- -2471243083598934186L
-
Serialized Fields
-
authenticationDatabaseName
String authenticationDatabaseName
Name of the database to use for authentication. -
clientUri
String clientUri
The connection uri to the mongodb instance. This typically takes on the form ofmongodb://user:[email protected]:35522/db
. If not specified, will fallback onto other individual settings. If specified, takes over all other settings where applicable. -
databaseName
String databaseName
MongoDb database instance name. -
host
String host
MongoDb database host for authentication. Multiple host addresses may be defined, separated by comma. If more than one host is defined, it is assumed that each host contains the port as well, if any. Otherwise the configuration may fallback onto the port defined. -
password
String password
MongoDb database password for authentication. -
pool
MongoDbConnectionPoolProperties pool
core connection-related settings. -
port
int port
MongoDb database port. -
readConcern
String readConcern
Read concern. Accepted values are:LOCAL
MAJORITY
LINEARIZABLE
SNAPSHOT
AVAILABLE
-
readPreference
String readPreference
Read preference. Accepted values are:PRIMARY
SECONDARY
SECONDARY_PREFERRED
PRIMARY_PREFERRED
NEAREST
-
replicaSet
String replicaSet
A replica set in MongoDB is a group ofmongod
processes that maintain the same data set. Replica sets provide redundancy and high availability, and are the basis for all production deployments. -
retryWrites
boolean retryWrites
Sets whether writes should be retried if they fail due to a network error. -
socketKeepAlive
boolean socketKeepAlive
Whether the database socket connection should be tagged with keep-alive. -
sslEnabled
boolean sslEnabled
Whether connections require SSL. -
timeout
String timeout
MongoDb database connection timeout. -
userId
String userId
MongoDb database user for authentication. -
writeConcern
String writeConcern
Write concern describes the level of acknowledgement requested from MongoDB for write operations to a standalone mongo db or to replica sets or to sharded clusters. In sharded clusters, mongo db instances will pass the write concern on to the shards.
-
-
Class org.apereo.cas.configuration.model.support.mongo.MongoDbAuthenticationProperties
class MongoDbAuthenticationProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -7304734732383722585L
-
Serialized Fields
-
attributes
String attributes
Attributes to fetch from Mongo (blank by default to force the pac4j legacy behavior). -
name
String name
Name of the authentication handler. -
order
int order
Order of authentication handler in chain. -
passwordAttribute
String passwordAttribute
Attribute that holds the password. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for the authentication handler. -
principalIdAttribute
String principalIdAttribute
Attribute that would be used to establish the authenticated profile. -
principalTransformation
PrincipalTransformationProperties principalTransformation
This is principal transformation properties. -
usernameAttribute
String usernameAttribute
Attributes that holds the username.
-
-
Class org.apereo.cas.configuration.model.support.mongo.MongoDbConnectionPoolProperties
class MongoDbConnectionPoolProperties extends Object implements Serializable- serialVersionUID:
- 8312213511918496060L
-
Serialized Fields
-
idleTime
String idleTime
The maximum idle time of a pooled connection. A zero value indicates no limit to the idle time. A pooled connection that has exceeded its idle time will be closed and replaced when necessary by a new connection. -
lifeTime
String lifeTime
The maximum time a pooled connection can live for. A zero value indicates no limit to the life time. A pooled connection that has exceeded its life time will be closed and replaced when necessary by a new connection. -
maxSize
int maxSize
Maximum number of connections to keep around. -
maxWaitTime
String maxWaitTime
The maximum time that a thread may wait for a connection to become available. -
minSize
int minSize
Minimum number of connections to keep around. -
perHost
int perHost
Total number of connections allowed per host.
-
-
Class org.apereo.cas.configuration.model.support.mongo.SingleCollectionMongoDbProperties
class SingleCollectionMongoDbProperties extends BaseMongoDbProperties implements Serializable- serialVersionUID:
- 4869686250345657447L
-
Serialized Fields
-
collection
String collection
MongoDb database collection name to fetch and/or create. -
dropCollection
boolean dropCollection
Whether collections should be dropped on startup and re-created.
-
-
-
Package org.apereo.cas.configuration.model.support.mongo.serviceregistry
-
Class org.apereo.cas.configuration.model.support.mongo.serviceregistry.MongoDbServiceRegistryProperties
class MongoDbServiceRegistryProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -227092724742371662L
-
-
Package org.apereo.cas.configuration.model.support.mongo.ticketregistry
-
Class org.apereo.cas.configuration.model.support.mongo.ticketregistry.MongoDbTicketRegistryProperties
class MongoDbTicketRegistryProperties extends BaseMongoDbProperties implements Serializable- serialVersionUID:
- 8243690796900311918L
-
Serialized Fields
-
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
dropCollection
boolean dropCollection
Whether collections should be dropped on startup and re-created. -
dropIndexes
boolean dropIndexes
When updating/creating indexes, decide if existing indexes should all be dropped once prior to creating/updating indexes. This may be useful to avoid conflicts between old and new indexes, in scenarios where CAS may be unable to locate the proper difference in index options or names during upgrades.. -
indexes
List<String> indexes
Index names to create. By default, all indexes are created. Supported indexes are:IDX_ID
: index created for ticket identifiers.IDX_JSON_TYPE_ID
: compound index for ticket body, type and id used for text queries.IDX_PRINCIPAL
: index created for principal attached to the ticket.IDX_EXPIRATION
: index created for ticket expiration date.
-
updateIndexes
boolean updateIndexes
Whether CAS should attempt to create/update indexes automatically and figure out the differences between existing keys and new keys.
-
-
-
Package org.apereo.cas.configuration.model.support.oauth
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthAccessTokenProperties
class OAuthAccessTokenProperties extends Object implements Serializable- serialVersionUID:
- -6832081675586528350L
-
Serialized Fields
-
createAsJwt
boolean createAsJwt
Create access token as JWTs. -
crypto
EncryptionOptionalSigningOptionalJwtCryptographyProperties crypto
Crypto settings. -
maxActiveTokensAllowed
long maxActiveTokensAllowed
Maximum number of active access tokens that an application can receive. If the application requests more that this limit, the request will be denied and the access token will not be issued. -
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the access token and expire it. -
storageName
String storageName
The storage object name used and created by CAS to hold OAuth access tokens in the backing ticket registry implementation. -
timeToKillInSeconds
String timeToKillInSeconds
Sliding window for the access token expiration policy. Essentially, this is an idle time out.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthCodeProperties
class OAuthCodeProperties extends Object implements Serializable- serialVersionUID:
- -7687928082301669359L
-
Serialized Fields
-
numberOfUses
int numberOfUses
Number of times this code is valid and can be used. -
removeRelatedAccessTokens
boolean removeRelatedAccessTokens
Remove the related access tokens when trying to use a code which is expired or no longer exists. -
storageName
String storageName
The storage object name used and created by CAS to hold OAuth codes in the backing ticket registry implementation. -
timeToKillInSeconds
long timeToKillInSeconds
Duration in seconds where the code is valid.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthCoreProperties
class OAuthCoreProperties extends Object implements Serializable- serialVersionUID:
- -1687928082301669359L
-
Serialized Fields
-
bypassApprovalPrompt
boolean bypassApprovalPrompt
Whether approval prompt/consent screen should be bypassed. -
userProfileViewType
OAuthCoreProperties.UserProfileViewTypes userProfileViewType
User profile view type determines how the final user profile should be rendered once an access token is "validated".
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthCsrfCookieProperties
class OAuthCsrfCookieProperties extends CookieProperties implements Serializable- serialVersionUID:
- 5298598088218873282L
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthDeviceTokenProperties
class OAuthDeviceTokenProperties extends Object implements Serializable- serialVersionUID:
- -6832081675586528350L
-
Serialized Fields
-
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the device token and expire it. -
refreshInterval
String refreshInterval
The device refresh interval. The client should attempt to acquire an access token every few seconds (at a rate specified by interval) by POSTing to the access token endpoint on the server. -
storageName
String storageName
The storage object name used and created by CAS to hold OAuth device tokens in the backing ticket registry implementation.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthDeviceUserCodeProperties
class OAuthDeviceUserCodeProperties extends Object implements Serializable- serialVersionUID:
- -1232081675586528350L
-
Serialized Fields
-
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the token and expire it. -
storageName
String storageName
The storage object name used and created by CAS to hold OAuth device user codes in the backing ticket registry implementation. -
userCodeLength
int userCodeLength
Length of the generated user code.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthGrantsProperties
class OAuthGrantsProperties extends Object implements Serializable- serialVersionUID:
- -2246860215082703251L
-
Serialized Fields
-
resourceOwner
OAuthGrantsProperties.ResourceOwner resourceOwner
Resource owner grant settings.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthGrantsProperties.ResourceOwner
class ResourceOwner extends Object implements Serializable- serialVersionUID:
- 3171206304518294330L
-
Serialized Fields
-
requireServiceHeader
boolean requireServiceHeader
Whether using the resource-owner grant should enforce authorization rules and per-service policies based on a service parameter is provided as a header outside the normal semantics of the grant and protocol.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthProperties
class OAuthProperties extends Object implements Serializable- serialVersionUID:
- 2677128037234123907L
-
Serialized Fields
-
accessToken
OAuthAccessTokenProperties accessToken
Settings related to oauth access tokens. -
code
OAuthCodeProperties code
Settings related to oauth codes. -
core
OAuthCoreProperties core
Settings related to oauth core behavior. -
crypto
EncryptionOptionalSigningOptionalJwtCryptographyProperties crypto
Crypto settings that sign/encrypt secrets. -
csrfCookie
OAuthCsrfCookieProperties csrfCookie
Control the CSRF cookie settings in OAUTH authentication flows. -
deviceToken
OAuthDeviceTokenProperties deviceToken
Settings related to oauth device tokens. -
deviceUserCode
OAuthDeviceUserCodeProperties deviceUserCode
Settings related to oauth device user codes. -
grants
OAuthGrantsProperties grants
Settings related to oauth grants. -
refreshToken
OAuthRefreshTokenProperties refreshToken
Settings related to oauth refresh tokens. -
sessionReplication
SessionReplicationProperties sessionReplication
Control settings for session replication. -
uma
UmaProperties uma
OAuth UMA authentication settings.
-
-
Class org.apereo.cas.configuration.model.support.oauth.OAuthRefreshTokenProperties
class OAuthRefreshTokenProperties extends Object implements Serializable- serialVersionUID:
- -8328568272835831702L
-
Serialized Fields
-
maxActiveTokensAllowed
long maxActiveTokensAllowed
Maximum number of active refresh tokens that an application can receive. If the application requests more that this limit, the request will be denied and the access token will not be issued. -
storageName
String storageName
The storage object name used and created by CAS to hold OAuth refresh tokens in the backing ticket registry implementation. -
timeToKillInSeconds
String timeToKillInSeconds
Hard timeout beyond which the refresh token is considered expired.
-
-
-
Package org.apereo.cas.configuration.model.support.oidc
-
Class org.apereo.cas.configuration.model.support.oidc.OidcClientRegistrationProperties
class OidcClientRegistrationProperties extends Object implements Serializable- serialVersionUID:
- 123128615694269276L
-
Serialized Fields
-
clientSecretExpiration
String clientSecretExpiration
When client secret is issued by CAS, this is the period that gets added to the current time measured in UTC to determine the client secret's expiration date. An example value would beP14D
forcing client applications to expire their client secret in 2 weeks after the registration date. Expired client secrets can be updated using the client configuration endpoint. A value of0
indicates that client secrets would never expire. -
dynamicClientRegistrationMode
OidcClientRegistrationProperties.DynamicClientRegistrationModes dynamicClientRegistrationMode
Whether dynamic registration operates inOPEN
orPROTECTED
mode. -
initialAccessTokenPassword
String initialAccessTokenPassword
The password used in a basic-auth scheme to request an initial access token that would then be used to dynamically register clients inOidcClientRegistrationProperties.DynamicClientRegistrationModes.PROTECTED
mode. -
initialAccessTokenUser
String initialAccessTokenUser
The username used in a basic-auth scheme to request an initial access token that would then be used to dynamically register clients inOidcClientRegistrationProperties.DynamicClientRegistrationModes.PROTECTED
mode.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcCoreProperties
class OidcCoreProperties extends Object implements Serializable- serialVersionUID:
- 823028615694269276L
-
Serialized Fields
-
acceptedIssuersPattern
String acceptedIssuersPattern
Defines the regular expression pattern that is matched against the calculated issuer from the request. If the issuer that is extracted from the request does not match theOidcCoreProperties.issuer
defined in the CAS configuration, this pattern acts as a secondary level rule to allow incoming requests to pass through if the match is successful. By default, the pattern is designed to never match anything. -
authenticationContextReferenceMappings
List<String> authenticationContextReferenceMappings
A mapping of authentication context refs (ACR) values. This is where specific authentication context classes are referenced and mapped to providers that CAS may support mainly for MFA purposes.Example might be
acr-value->mfa-duo
.Support for authentication context class references is implemented in form of
acr_values
as part of the original authorization request, which is mostly taken into account by the multifactor authentication features of CAS. Once successful,acr
andamr
values are passed back to the relying party as part of the id token. -
claimsMap
Map<String,
String> claimsMap Map fixed claims to CAS attributes. Key is the existing claim name for a scope and value is the new attribute that should take its place and value. Claims associated with a scope (i.e. given_name for profile) are fixed in the OpenID specification. In the event that custom arbitrary attributes should be mapped to claims, mappings can be defined in CAS settings to link a CAS-defined attribute to a fixed given scope. For instance, CAS configuration may allow the value of the attributesys_given_name
to be mapped and assigned to the claimgiven_name
without having an impact on the attribute resolution configuration and all other CAS-enabled applications. If mapping is not defined, by default CAS attributes are expected to match claim names. -
issuer
String issuer
OIDC issuer. All OpenID Connect servers such as CAS are uniquely identified by a URL known as the issuer. This URL serves as the prefix of a service discovery endpoint as specified in the OpenID Connect Discovery standard.This URL must be using the https scheme with no query or fragment component that the identity provider (CAS) asserts as its Issuer Identifier. This also MUST be identical to the
iss
claim value in ID Tokens issued from this issuer, unless overridden in very special circumstances as a last resort.CAS primarily supports a single issuer per deployment/host.
-
skew
String skew
Skew value used to massage the authentication issue instance. -
userDefinedScopes
Map<String,
String> userDefinedScopes Mapping of user-defined scopes. Key is the new scope name and value is a comma-separated list of claims mapped to the scope. Such user-defined scopes are also able to override the definition of system scopes. User-defined scopes as well as any and all custom claims that are mapped to the scope must also be defined as scopes and claims supported by CAS in OpenID Connect discovery.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcDiscoveryProperties
class OidcDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- 813028615694269276L
-
Serialized Fields
-
acrValuesSupported
List<String> acrValuesSupported
List of ACR values supported. This discovery element contains a list of the supported acr values supported by this server. Support for authentication context class references is implemented in form ofacr_values
as part of the original authorization request, which is mostly taken into account by the multifactor authentication features of CAS. Once successful,acr
andamr
values are passed back to the relying party as part of the id token. -
authorizationResponseIssuerParameterSupported
boolean authorizationResponseIssuerParameterSupported
Parameter indicating whether the authorization server provides theiss
parameter in the authorization response. -
claims
List<String> claims
List of supported claims. -
claimsInVerifiedClaimsSupported
Set<String> claimsInVerifiedClaimsSupported
List of the supported verified claims. -
claimsParameterSupported
boolean claimsParameterSupported
Specifying whether this provider supports use of the claims parameter. -
claimTypesSupported
List<String> claimTypesSupported
Supported claim types. -
codeChallengeMethodsSupported
List<String> codeChallengeMethodsSupported
List of PKCE code challenge methods supported. -
documentsSupported
Set<String> documentsSupported
Needed whenOidcDiscoveryProperties.evidenceSupported
containsdocument
orid_document
. Set containing all identity document types utilized by the CAS for identity verification. -
documentsValidationMethodsSupported
Set<String> documentsValidationMethodsSupported
Set containing the validation methods the CAS supports. -
documentsVerificationMethodsSupported
Set<String> documentsVerificationMethodsSupported
Set containing the verification methods the CAS supports. -
dpopSigningAlgValuesSupported
List<String> dpopSigningAlgValuesSupported
A array containing a list of the JWS "alg" values supported by the CAS authorization server for DPoP proof JWTs. -
electronicRecordsSupported
Set<String> electronicRecordsSupported
Needed when evidence_supported containselectronicrecord
. Set containing all electronic record types the CAS supports. -
evidenceSupported
Set<String> evidenceSupported
Set containing all types of identity evidence the OP uses. This array may have zero or more members. -
grantTypesSupported
List<String> grantTypesSupported
Supported grant types. -
idTokenEncryptionAlgValuesSupported
List<String> idTokenEncryptionAlgValuesSupported
Supported algorithms for id token encryption. -
idTokenEncryptionEncodingValuesSupported
List<String> idTokenEncryptionEncodingValuesSupported
Supported encoding strategies for id token encryption. -
idTokenSigningAlgValuesSupported
List<String> idTokenSigningAlgValuesSupported
Supported algorithms for id token signing. -
introspectionEncryptedResponseAlgValuesSupported
List<String> introspectionEncryptedResponseAlgValuesSupported
Accepted values containing a list of the JWE encryption algorithms (alg
values) supported by the introspection endpoint to encrypt the content encryption key for introspection response. -
introspectionEncryptedResponseEncodingValuesSupported
List<String> introspectionEncryptedResponseEncodingValuesSupported
Accepted values containing a list of the JWE encryption algorithms (enc
values) supported by the introspection endpoint to encrypt the introspection response. -
introspectionSignedResponseAlgValuesSupported
List<String> introspectionSignedResponseAlgValuesSupported
Accepted values containing a list of the JWS signing algorithms supported by the introspection endpoint to sign the response. -
introspectionSupportedAuthenticationMethods
List<String> introspectionSupportedAuthenticationMethods
Supported authentication methods for introspection. -
promptValuesSupported
List<String> promptValuesSupported
Supported prompt values. If CAS receives a prompt value that it does not support (not declared in theprompt_values_supported
metadata field) the CAS SHOULD respond with an HTTP 400 (Bad Request) status code and an error value of invalid request. -
requestObjectEncryptionAlgValuesSupported
List<String> requestObjectEncryptionAlgValuesSupported
Supported algorithms for request object encryption. -
requestObjectEncryptionEncodingValuesSupported
List<String> requestObjectEncryptionEncodingValuesSupported
Supported encoding strategies for request object encryption. -
requestObjectSigningAlgValuesSupported
List<String> requestObjectSigningAlgValuesSupported
Supported algorithms for request object signing. -
requestParameterSupported
boolean requestParameterSupported
Specifying whether this provider supports use of therequest
parameter. -
requestUriParameterSupported
boolean requestUriParameterSupported
Specifying whether this provider supports use of therequest_uri
parameter. -
requirePushedAuthorizationRequests
boolean requirePushedAuthorizationRequests
Boolean parameter indicating whether the authorization server (CAS) accepts authorization request data only via the pushed authorization request method. -
responseModesSupported
List<String> responseModesSupported
Supported response modes. -
responseTypesSupported
List<String> responseTypesSupported
Supported response types. The Response Mode request parameter response_mode informs the Authorization Server of the mechanism to be used for returning Authorization Response parameters from the Authorization Endpoint. Each Response Type value also defines a default Response Mode mechanism to be used, if no Response Mode is specified using the request parameter. -
scopes
List<String> scopes
List of supported scopes. -
subjectTypes
List<String> subjectTypes
List of supported subject types. -
tlsClientCertificateBoundAccessTokens
boolean tlsClientCertificateBoundAccessTokens
Boolean value indicating server support for mutual-TLS client certificate-bound access tokens. -
tokenEndpointAuthMethodsSupported
List<String> tokenEndpointAuthMethodsSupported
List of client authentication methods supported by token endpoint. -
trustFrameworksSupported
Set<String> trustFrameworksSupported
Set containing all supported trust frameworks. This array must have at least one member. -
userInfoEncryptionAlgValuesSupported
List<String> userInfoEncryptionAlgValuesSupported
Supported algorithms for user-info encryption. -
userInfoEncryptionEncodingValuesSupported
List<String> userInfoEncryptionEncodingValuesSupported
Supported encoding strategies for user-info encryption. -
userInfoSigningAlgValuesSupported
List<String> userInfoSigningAlgValuesSupported
Supported algorithms for user-info signing. -
verifiedClaimsSupported
boolean verifiedClaimsSupported
Boolean value indicating support for verified_claims, i.e., the OpenID Connect for Identity Assurance extension.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcIdentityAssuranceProperties
class OidcIdentityAssuranceProperties extends Object implements Serializable- serialVersionUID:
- 223128625694269276L
-
Serialized Fields
-
verificationSource
SpringResourceProperties verificationSource
Assurance verification properties.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcIdTokenProperties
class OidcIdTokenProperties extends Object implements Serializable- serialVersionUID:
- 813328615694269276L
-
Serialized Fields
-
includeIdTokenClaims
boolean includeIdTokenClaims
As per OpenID Connect Core section 5.4, "The Claims requested by theprofile
,email
,address
, andphone
scope values are returned from the userinfo endpoint", except forresponse_type
=id_token
, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint). The Claims requested by the profile, email, address, and phone scope values are returned from the userinfo endpoint when aresponse_type
value is used that results in an access token being issued. However, when no access token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.Setting this flag to true will force CAS to include claims in the ID token regardless of the response type. Note that this setting MUST ONLY be used as a last resort, to stay compliant with the specification as much as possible. DO NOT use this setting without due consideration.
Note that this setting is set to
true
by default mainly provided to preserve backward compatibility with previous CAS versions that included claims into the ID token without considering the response type. The behavior of this setting may change and it may be removed in future CAS releases. -
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the id token and expire it.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcJwtAuthorizationResponseModeProperties
class OidcJwtAuthorizationResponseModeProperties extends Object implements Serializable- serialVersionUID:
- 632228615694269276L
-
Serialized Fields
-
expiration
String expiration
Hard timeout to kill the JWT token and expire it.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcLogoutProperties
class OidcLogoutProperties extends Object implements Serializable- serialVersionUID:
- 4988981831781991817L
-
Serialized Fields
-
backchannelLogoutSupported
boolean backchannelLogoutSupported
Whether the back-channel logout is supported. -
frontchannelLogoutSupported
boolean frontchannelLogoutSupported
Whether the front-channel logout is supported.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcProperties
class OidcProperties extends Object implements Serializable- serialVersionUID:
- 813028615694269276L
-
Serialized Fields
-
core
OidcCoreProperties core
OIDC core protocol settings. -
discovery
OidcDiscoveryProperties discovery
OIDC discovery configuration. -
identityAssurance
OidcIdentityAssuranceProperties identityAssurance
OIDC ID assurance settings. -
idToken
OidcIdTokenProperties idToken
OIDC core protocol settings. -
jarm
OidcJwtAuthorizationResponseModeProperties jarm
OIDC pushed authorization requests configuration. -
jwks
OidcJsonWebKeystoreProperties jwks
Configuration properties managing the jwks settings for OIDC. -
logout
OidcLogoutProperties logout
OIDC logout configuration. -
par
OidcPushedAuthorizationProperties par
OIDC pushed authorization requests configuration. -
registration
OidcClientRegistrationProperties registration
OIDC handling of dynamic client registration requests and settings. -
response
OidcResponseProperties response
Control OIDC response and response mode settings. -
services
OidcServicesProperties services
OIDC services settings. -
webfinger
OidcWebFingerProperties webfinger
OIDC webfinger protocol settings.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcPushedAuthorizationProperties
class OidcPushedAuthorizationProperties extends Object implements Serializable- serialVersionUID:
- 632228615694269276L
-
Serialized Fields
-
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the PAR token and expire it. -
numberOfUses
long numberOfUses
Controls number of times a request can be used within CAS server.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcResponseProperties
class OidcResponseProperties extends Object implements Serializable- serialVersionUID:
- 632228615694269271L
-
Serialized Fields
-
crypto
EncryptionOptionalSigningOptionalJwkCryptographyProperties crypto
Crypto settings for response mode JWTs, etc.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcServicesProperties
class OidcServicesProperties extends Object implements Serializable- serialVersionUID:
- 1233477683583467669L
-
Serialized Fields
-
defaults
Map<String,
String> defaults Control the default, initial values for fields that are part of a OIDC service definition. This is defined as a map where the key is the field name (i.e.signIdToken
) and the value should be the default value. If a service definition explicitly defines a value for a field, that value will take over and the default defined here will be ignored. If a service definition does not define a value for a field and no defaults are specified for that field, then the default value that is directly assigned to the field in the body of the service definition will take over.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcWebFingerProperties
class OidcWebFingerProperties extends Object implements Serializable- serialVersionUID:
- 231228615694269276L
-
Serialized Fields
-
enabled
boolean enabled
Indicate if webfinger discovery protocol should be enabled. -
userInfo
OidcWebFingerProperties.UserInfoRepository userInfo
Manage settings related to user-info repositories locating resources and accounts.
-
-
Class org.apereo.cas.configuration.model.support.oidc.OidcWebFingerProperties.Groovy
class Groovy extends SpringResourceProperties implements Serializable- serialVersionUID:
- 7179027843747126083L
-
Class org.apereo.cas.configuration.model.support.oidc.OidcWebFingerProperties.Rest
class Rest extends RestEndpointProperties implements Serializable- serialVersionUID:
- -2172345378378393382L
-
Class org.apereo.cas.configuration.model.support.oidc.OidcWebFingerProperties.UserInfoRepository
class UserInfoRepository extends Object implements Serializable- serialVersionUID:
- 1279027843747126043L
-
Serialized Fields
-
groovy
OidcWebFingerProperties.Groovy groovy
Resolve webfinger user-info resources via Groovy. -
rest
OidcWebFingerProperties.Rest rest
Resolve webfinger user-info resources via REST.
-
-
-
Package org.apereo.cas.configuration.model.support.oidc.jwks
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.FileSystemOidcJsonWebKeystoreProperties
class FileSystemOidcJsonWebKeystoreProperties extends Object implements Serializable- serialVersionUID:
- 1659099897056632658L
-
Serialized Fields
-
jwksFile
String jwksFile
Path to the JWKS file resource used to handle signing/encryption of authentication tokens. Contents of the keystore may be encrypted using the same encryption and security mechanism available for all other CAS configuration settings. The setting value here may also be defined in a raw format; that is, you may pass the actual contents of the keystore verbaitm to this setting and CAS would load the keystore as an in-memory resource. This is relevant in scenarios where the setting source is external to CAS and has no support for file systems where the value is loaded on the fly from the source into this setting. Note that if the keystore files does not exist at the specified path, one will be generated for you. -
watcherEnabled
boolean watcherEnabled
Flag indicating whether a background watcher thread is enabled for the purposes of live reloading of keystore data file changes from disk.
-
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.JpaOidcJsonWebKeystoreProperties
class JpaOidcJsonWebKeystoreProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 1633689616653363554L
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.MongoDbOidcJsonWebKeystoreProperties
class MongoDbOidcJsonWebKeystoreProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -8392367146283877576L
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.OidcJsonWebKeystoreCoreProperties
class OidcJsonWebKeystoreCoreProperties extends Object implements Serializable- serialVersionUID:
- -2696060572027445151L
-
Serialized Fields
-
jwksCacheExpiration
String jwksCacheExpiration
Timeout that indicates how long should the JWKS file be kept in cache. -
jwksKeyId
String jwksKeyId
The key identifier to set for the generated key in the keystore. -
jwksKeySize
int jwksKeySize
The key size for the generated jwks. This is an algorithm-specific metric, such as modulus length, specified in number of bits.If the keystore type is
EC
, the key size defined here should switch to one of256
,384
or521
. If usingEC
, then the size should match the number of bits required. -
jwksType
String jwksType
The type of the JWKS used to handle signing/encryption of authentication tokens. Accepted values areRSA
orEC
.
-
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.OidcJsonWebKeystoreProperties
class OidcJsonWebKeystoreProperties extends Object implements Serializable- serialVersionUID:
- -1696060572027445151L
-
Serialized Fields
-
core
OidcJsonWebKeystoreCoreProperties core
Core JWKS settings and properties. -
fileSystem
FileSystemOidcJsonWebKeystoreProperties fileSystem
Fetch JWKS via the file system. -
groovy
SpringResourceProperties groovy
Fetch JWKS via a Groovy script. -
jpa
JpaOidcJsonWebKeystoreProperties jpa
Fetch JWKS via a relational database and JPA. -
mongo
MongoDbOidcJsonWebKeystoreProperties mongo
Fetch JWKS via MongoDb instances. -
rest
RestfulOidcJsonWebKeystoreProperties rest
Fetch JWKS via a REST endpoint. -
revocation
OidcJsonWebKeyStoreRevocationProperties revocation
OIDC key revocation properties. -
rotation
OidcJsonWebKeyStoreRotationProperties rotation
OIDC key rotation properties.
-
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.OidcJsonWebKeyStoreRevocationProperties
class OidcJsonWebKeyStoreRevocationProperties extends Object implements Serializable- serialVersionUID:
- 4955981831781991817L
-
Serialized Fields
-
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often keys are revoked.
-
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.OidcJsonWebKeyStoreRotationProperties
class OidcJsonWebKeyStoreRotationProperties extends Object implements Serializable- serialVersionUID:
- 4988981831781991617L
-
Serialized Fields
-
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often keys are rotated.
-
-
Class org.apereo.cas.configuration.model.support.oidc.jwks.RestfulOidcJsonWebKeystoreProperties
class RestfulOidcJsonWebKeystoreProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 3659099897056632608L
-
-
Package org.apereo.cas.configuration.model.support.okta
-
Class org.apereo.cas.configuration.model.support.okta.BaseOktaApiProperties
class BaseOktaApiProperties extends BaseOktaProperties implements Serializable- serialVersionUID:
- -11245764438426360L
-
Serialized Fields
-
apiToken
String apiToken
Okta API token. -
clientId
String clientId
Okta client id used in combination with the private key. -
privateKey
SpringResourceProperties privateKey
Private key resource used for oauth20 api calls with a client id. When using this approach, you won't need an API Token because the Okta SDK will request an access token for you. -
proxyHost
String proxyHost
Send requests via a proxy; define the hostname. -
proxyPassword
String proxyPassword
Send requests via a proxy; define the proxy password. -
proxyPort
int proxyPort
Send requests via a proxy; define the proxy port. Negative/zero values should deactivate the proxy configuration for the http client. -
proxyUsername
String proxyUsername
Send requests via a proxy; define the proxy username. -
scopes
List<String> scopes
Okta allows you to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by which scopes the access token contains. Scopes are only used when using client id and private-key.
-
-
Class org.apereo.cas.configuration.model.support.okta.BaseOktaProperties
class BaseOktaProperties extends Object implements Serializable- serialVersionUID:
- -23245764438426360L
-
Serialized Fields
-
connectionTimeout
int connectionTimeout
Connection timeout in milliseconds. -
order
int order
The order of this authentication handler in the chain. -
organizationUrl
String organizationUrl
Okta domain. -
proxyHost
String proxyHost
Send requests via a proxy; define the hostname. -
proxyPassword
String proxyPassword
Send requests via a proxy; define the proxy password. -
proxyPort
int proxyPort
Send requests via a proxy; define the proxy port. Negative/zero values should deactivate the proxy configuration for the http client. -
proxyUsername
String proxyUsername
Send requests via a proxy; define the proxy username.
-
-
Class org.apereo.cas.configuration.model.support.okta.OktaAuthenticationProperties
class OktaAuthenticationProperties extends BaseOktaProperties implements Serializable- serialVersionUID:
- -13245764438426360L
-
Serialized Fields
-
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
name
String name
The name of the authentication handler. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
provisioning
OktaPrincipalProvisioningProperties provisioning
Provisioning settings. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.okta.OktaPrincipalAttributesProperties
class OktaPrincipalAttributesProperties extends BaseOktaApiProperties implements Serializable- serialVersionUID:
- -6573755681498251678L
-
Class org.apereo.cas.configuration.model.support.okta.OktaPrincipalProvisioningProperties
class OktaPrincipalProvisioningProperties extends BaseOktaApiProperties implements Serializable- serialVersionUID:
- 98007332402165L
-
Serialized Fields
-
attributeMappings
Map<String,
String> attributeMappings Map of attributes that optionally may be used to control the names of the attributes to Okta that form the user profile. If an attribute is provided by Okta, such asdepartment
, it can be listed here as the key of the map with a value that should be the name of that attribute as collected and recorded by CAS. For example, the conventiondepartment->organization
will process the CAS attributeorganization
and will assign its value to the user profile underdepartment
. If no mapping is specified, the okta attribute itself will be used to find the CAS principal attribute value. -
enabled
boolean enabled
Whether or not provisioning should be enabled with Okta.
-
-
-
Package org.apereo.cas.configuration.model.support.pac4j
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jBaseClientProperties
class Pac4jBaseClientProperties extends Object implements Serializable- serialVersionUID:
- -7885975876831784206L
-
Serialized Fields
-
autoRedirectType
DelegationAutoRedirectTypes autoRedirectType
Auto-redirect to this client. -
callbackUrl
String callbackUrl
Callback URL to use to return the flow back to the CAS server one the identity provider is successfully done. This may be used at the discretion of the client and its type to build service parameters, redirect URIs, etc. If none is specified, the CAS server's login endpoint will be used as the basis of the final callback url. -
callbackUrlType
Pac4jBaseClientProperties.CallbackUrlTypes callbackUrlType
Determine how the callback url should be resolved. Default isPac4jBaseClientProperties.CallbackUrlTypes.QUERY_PARAMETER
. -
clientName
String clientName
Name of the client mostly for UI purposes and uniqueness. This name, with 'non-word' characters converted to '-' (e.g. "This Org (New)" becomes "This-Org--New-") is added to the "class" attribute of the redirect link on the login page, to allow for custom styling of individual IdPs (e.g. for an organization logo). -
cssClass
String cssClass
CSS class that should be assigned to this client. -
displayName
String displayName
Indicate the title or display name of the client for decoration and client presentation purposes. If left blank, the client original name would be used by default. -
enabled
boolean enabled
Whether the client/external identity provider should be considered active and enabled for integration purposes. -
principalIdAttribute
String principalIdAttribute
The attribute found in the identity provider response that may be used to establish the authenticated user and build a profile for CAS.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationBitBucketProperties
class Pac4jDelegatedAuthenticationBitBucketProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationCookieProperties
class Pac4jDelegatedAuthenticationCookieProperties extends CookieProperties implements Serializable- serialVersionUID:
- -1460460726554772979L
-
Serialized Fields
-
autoConfigureCookiePath
boolean autoConfigureCookiePath
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured. -
enabled
boolean enabled
Determine whether cookie settings should be enabled to track delegated authentication choices and identity providers.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationCoreProperties
class Pac4jDelegatedAuthenticationCoreProperties extends Object implements Serializable- serialVersionUID:
- -3561947621312270068L
-
Serialized Fields
-
cacheDuration
String cacheDuration
Control the expiration policy of the cache that holds onto the results. -
cacheSize
long cacheSize
Control the size of the delegated identity provider cache that holds identity providers.This setting specifies the maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn't been used recently or very often.
-
discoverySelection
Pac4jDelegatedAuthenticationDiscoverySelectionProperties discoverySelection
Discovery selection settings. -
groovyAuthenticationRequestCustomizer
SpringResourceProperties groovyAuthenticationRequestCustomizer
Path to a groovy script to customize the authentication request and the configuration responsible for it before the request is handed off to the identity provider. -
groovyProviderPostProcessor
SpringResourceProperties groovyProviderPostProcessor
Path to a groovy script to post-process identity providers before they are presented to the user. -
groovyRedirectionStrategy
SpringResourceProperties groovyRedirectionStrategy
Path to a groovy script to determine the auto-redirection strategy to identity providers. -
lazyInit
boolean lazyInit
Whether initialization of delegated identity providers should be done eagerly typically during startup. -
name
String name
The name of the authentication handler in CAS used for delegation. -
order
Integer order
Order of the authentication handler in the chain. -
principalIdAttribute
String principalIdAttribute
The attribute to use as the principal identifier built during and upon a successful authentication attempt. -
sessionReplication
SessionReplicationProperties sessionReplication
Control settings for session replication. -
typedIdUsed
boolean typedIdUsed
When constructing the final user profile from the delegated provider, determines if the provider id should be combined with the principal id.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationDiscoverySelectionJsonProperties
class Pac4jDelegatedAuthenticationDiscoverySelectionJsonProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- -2261947621312270068L
-
Serialized Fields
-
principalAttribute
String principalAttribute
The name of the principal attribute whose values will be compared against the key pattern defined in the configuration rules. If a match is found, then the provider configuration block will be used as the selected provider. The matching routine will examine all attribute values linked to the principal attribute to find any acceptable match. When this setting left undefined, then the resolved principal id for the given user identifier will be used to locate the provider.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationDiscoverySelectionProperties
class Pac4jDelegatedAuthenticationDiscoverySelectionProperties extends Object implements Serializable- serialVersionUID:
- -2561947621312270068L
-
Serialized Fields
-
json
Pac4jDelegatedAuthenticationDiscoverySelectionJsonProperties json
Locate discovery settings inside a JSON resource. Only available ifPac4jDelegatedAuthenticationDiscoverySelectionProperties.selectionType
is set toPac4jDelegatedAuthenticationDiscoverySelectionProperties.Pac4jDelegatedAuthenticationSelectionTypes.DYNAMIC
. -
selectionType
Pac4jDelegatedAuthenticationDiscoverySelectionProperties.Pac4jDelegatedAuthenticationSelectionTypes selectionType
Indicate how the selection and presentation of identity providers would be controlled.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationDropboxProperties
class Pac4jDelegatedAuthenticationDropboxProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationFacebookProperties
class Pac4jDelegatedAuthenticationFacebookProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -2737594266552466076L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationFoursquareProperties
class Pac4jDelegatedAuthenticationFoursquareProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationGitHubProperties
class Pac4jDelegatedAuthenticationGitHubProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Serialized Fields
-
scope
String scope
The requested scope from the provider. The default scope isuser
, i.e.read/write
access to the GitHub user account.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationGoogleProperties
class Pac4jDelegatedAuthenticationGoogleProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Serialized Fields
-
scope
String scope
The requested scope.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationGroovyProvisioningProperties
class Pac4jDelegatedAuthenticationGroovyProvisioningProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 7179027843747126083L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationHiOrgServerProperties
class Pac4jDelegatedAuthenticationHiOrgServerProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Serialized Fields
-
scope
String scope
The requested scope.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationLdapProfileSelectionProperties
class Pac4jDelegatedAuthenticationLdapProfileSelectionProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 3372867394066286022L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationLinkedInProperties
class Pac4jDelegatedAuthenticationLinkedInProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Serialized Fields
-
scope
String scope
The requested scope.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationPayPalProperties
class Pac4jDelegatedAuthenticationPayPalProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationProfileSelectionProperties
class Pac4jDelegatedAuthenticationProfileSelectionProperties extends Object implements Serializable- serialVersionUID:
- 1478567744591488495L
-
Serialized Fields
-
groovy
SpringResourceProperties groovy
Groovy script to execute operations on profile selection. -
ldap
List<Pac4jDelegatedAuthenticationLdapProfileSelectionProperties> ldap
Connect to LDAP servers to locate candidate profiles for delegated authn.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationProperties
class Pac4jDelegatedAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 4388567744591488495L
-
Serialized Fields
-
bitbucket
Pac4jDelegatedAuthenticationBitBucketProperties bitbucket
Settings that deal with having BitBucket as an external delegated-to authentication provider. -
cas
List<Pac4jCasClientProperties> cas
Settings that deal with having CAS Servers as an external delegated-to authentication provider. -
cookie
Pac4jDelegatedAuthenticationCookieProperties cookie
Cookie settings to be used with delegated authentication to store user preferences. -
core
Pac4jDelegatedAuthenticationCoreProperties core
Pac4j core authentication engine settings. -
dropbox
Pac4jDelegatedAuthenticationDropboxProperties dropbox
Settings that deal with having Dropbox as an external delegated-to authentication provider. -
facebook
Pac4jDelegatedAuthenticationFacebookProperties facebook
Settings that deal with having Facebook as an external delegated-to authentication provider. -
foursquare
Pac4jDelegatedAuthenticationFoursquareProperties foursquare
Settings that deal with having FourSquare as an external delegated-to authentication provider. -
github
Pac4jDelegatedAuthenticationGitHubProperties github
Settings that deal with having Github as an external delegated-to authentication provider. -
google
Pac4jDelegatedAuthenticationGoogleProperties google
Settings that deal with having Google as an external delegated-to authentication provider. -
hiOrgServer
Pac4jDelegatedAuthenticationHiOrgServerProperties hiOrgServer
Settings that deal with having HiOrg-Server as an external delegated-to authentication provider. -
linkedIn
Pac4jDelegatedAuthenticationLinkedInProperties linkedIn
Settings that deal with having LinkedIn as an external delegated-to authentication provider. -
oauth2
List<Pac4jOAuth20ClientProperties> oauth2
Settings that deal with having OAuth2-capable providers as an external delegated-to authentication provider. -
oidc
List<Pac4jOidcClientProperties> oidc
Settings that deal with having OpenID Connect Providers as an external delegated-to authentication provider. -
paypal
Pac4jDelegatedAuthenticationPayPalProperties paypal
Settings that deal with having Paypal as an external delegated-to authentication provider. -
profileSelection
Pac4jDelegatedAuthenticationProfileSelectionProperties profileSelection
Handle profile selection ops when checking for multiple profiles from external identity providers. -
provisioning
Pac4jDelegatedAuthenticationProvisioningProperties provisioning
Handle provisioning ops when establishing profiles from external identity providers. -
rest
Pac4jDelegatedAuthenticationRestfulProperties rest
Settings that allow CAS to fetch and build clients over a REST endpoint rather than built-in properties. -
saml
List<Pac4jSamlClientProperties> saml
Settings that deal with having SAML2 IdPs as an external delegated-to authentication provider. -
samlDiscovery
SamlIdPDiscoveryProperties samlDiscovery
Settings related to handling saml2 discovery of IdPs. -
twitter
Pac4jDelegatedAuthenticationTwitterProperties twitter
Settings that deal with having Twitter as an external delegated-to authentication provider. -
webflow
WebflowAutoConfigurationProperties webflow
Webflow auto-configuration settings. -
windowsLive
Pac4jDelegatedAuthenticationWindowsLiveProperties windowsLive
Settings that deal with having WindowsLive as an external delegated-to authentication provider. -
wordpress
Pac4jDelegatedAuthenticationWordpressProperties wordpress
Settings that deal with having WordPress as an external delegated-to authentication provider. -
yahoo
Pac4jDelegatedAuthenticationYahooProperties yahoo
Settings that deal with having Yahoo as an external delegated-to authentication provider.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationProvisioningProperties
class Pac4jDelegatedAuthenticationProvisioningProperties extends Object implements Serializable- serialVersionUID:
- 3478567744591488495L
-
Serialized Fields
-
groovy
Pac4jDelegatedAuthenticationGroovyProvisioningProperties groovy
Hand off the provisioning task to an external groovy script to create and manage profiles. -
rest
Pac4jDelegatedAuthenticationRestfulProvisioningProperties rest
Hand off the provisioning task to an external rest api to create and manage profiles. -
scim
Pac4jDelegatedAuthenticationScimProvisioningProperties scim
Hand off the provisioning task to an external scim server to create and manage profiles.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationRestfulProperties
class Pac4jDelegatedAuthenticationRestfulProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 3659099897056632608L
-
Serialized Fields
-
type
String type
Specify the format of the payload that would be produced by the REST API. Accepted values are:pac4j
: The output must confirm to the syntax controlled by pac4j'sPropertiesConfigFactory
cas
: The output must should contain properties that allow CAS to build delegated identity providers.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationRestfulProvisioningProperties
class Pac4jDelegatedAuthenticationRestfulProvisioningProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationScimProvisioningProperties
class Pac4jDelegatedAuthenticationScimProvisioningProperties extends Object implements Serializable- serialVersionUID:
- -1102345678378393382L
-
Serialized Fields
-
enabled
boolean enabled
Whether provisioning to SCIM targets should be enabled for delegated authentication attempts.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationTwitterProperties
class Pac4jDelegatedAuthenticationTwitterProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- 6906343970517008092L
-
Serialized Fields
-
includeEmail
boolean includeEmail
Set to true to request the user's email address from the Twitter API. For this to have an effect it must first be enabled in the Twitter developer console.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationWindowsLiveProperties
class Pac4jDelegatedAuthenticationWindowsLiveProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationWordpressProperties
class Pac4jDelegatedAuthenticationWordpressProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationYahooProperties
class Pac4jDelegatedAuthenticationYahooProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -5663033494303169583L
-
Class org.apereo.cas.configuration.model.support.pac4j.Pac4jIdentifiableClientProperties
class Pac4jIdentifiableClientProperties extends Pac4jBaseClientProperties implements Serializable- serialVersionUID:
- 3007013267786902465L
-
-
Package org.apereo.cas.configuration.model.support.pac4j.cas
-
Class org.apereo.cas.configuration.model.support.pac4j.cas.Pac4jCasClientProperties
class Pac4jCasClientProperties extends Pac4jBaseClientProperties implements Serializable- serialVersionUID:
- -2738631545437677447L
-
-
Package org.apereo.cas.configuration.model.support.pac4j.oauth
-
Class org.apereo.cas.configuration.model.support.pac4j.oauth.Pac4jOAuth20ClientProperties
class Pac4jOAuth20ClientProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- -1240711580664148382L
-
Serialized Fields
-
authUrl
String authUrl
Authorization endpoint of the provider. -
clientAuthenticationMethod
String clientAuthenticationMethod
The client authentication method:basicAuth
(default) orrequestBody
. -
customParams
Map<String,
String> customParams Custom parameters in form of key-value pairs sent along in authZ requests, etc. -
profileAttrs
Map<String,
String> profileAttrs Profile attributes to request and collect in form of key-value pairs. Key is the attribute name, and value is the mapped attribute name, if necessary. If remapping is not required, key and value should match. It's also possible to define values asCONVERTER|mapped-attribute
.CONVERTER
should be the attribute converter specified by its acceptable type and when acceptable, the converter attempts to transform the provided attribute value. Accepted converters areLocale, Integer, Color, Date, Gender, Boolean, Long, String, Url
. CAS can also provide a special attribute converter that does the transformation and conversion based on an inline groovy script. This special groovy converter can be specified using this example syntax for the value,groovy { return attribute + '-test'}|mapped-attribute
. -
profileUrl
String profileUrl
Profile endpoint of the provider. -
profileVerb
String profileVerb
Http method to use when asking for profile. -
responseType
String responseType
Response type determines the authentication flow on the Authentication Server. -
scope
String scope
The scope requested from the identity provider. -
tokenUrl
String tokenUrl
Token endpoint of the provider. -
withState
boolean withState
Whether a state value should be generated when sending authentication requests to the provider.
-
-
-
Package org.apereo.cas.configuration.model.support.pac4j.oidc
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.BasePac4jOidcClientProperties
class BasePac4jOidcClientProperties extends Pac4jIdentifiableClientProperties implements Serializable- serialVersionUID:
- 3359382317533639638L
-
Serialized Fields
-
allowUnsignedIdTokens
boolean allowUnsignedIdTokens
Whether unsigned id tokens issued as plain JWTs are accepted. -
clientAuthenticationMethod
String clientAuthenticationMethod
The preferred client authentication method that will be chosen for token requests. If none is specified, one will be chosen somewhat randomly based on what the OIDC OP supports. -
connectTimeout
String connectTimeout
Read timeout of the OIDC client. -
customParams
Map<String,
String> customParams Custom parameters to send along in authZ requests, etc. -
disablePkce
boolean disablePkce
Disable PKCE support for the provider. -
discoveryUri
String discoveryUri
The discovery endpoint to locate the provide metadata. -
expireSessionWithToken
boolean expireSessionWithToken
Checks if sessions expire with token expiration. -
includeAccessTokenClaims
boolean includeAccessTokenClaims
If enabled, try to process the access token as a JWT and include its claims in the profile. Only enable this if there is an agreement between the IdP and CAS about the format of the access token. If not, the token format could change at any time. -
logoutUrl
String logoutUrl
Logout url used for this provider. -
mappedClaims
List<String> mappedClaims
List arbitrary mappings of claims when fetching user profiles. Uses a "directed list" where the allowed syntax would beclaim->attribute
. -
maxClockSkew
String maxClockSkew
Clock skew in order to account for drift, when validating id tokens. -
preferredJwsAlgorithm
String preferredJwsAlgorithm
The JWS algorithm to use forcefully when validating ID tokens. If none is defined, the first algorithm from metadata will be used. -
readTimeout
String readTimeout
Connect timeout of the OIDC client. -
responseMode
String responseMode
The response mode specifies how the result of the authorization request is formatted. For backward compatibility the default value is empty, which means the default pac4j (empty) response mode is used. Possible values includes "query", "fragment", "form_post", or "web_message" -
responseType
String responseType
The response type tells the authorization server which grant to execute. For backward compatibility the default value is empty, which means the default pac4j ("code") response type is used. Possibles values includes "code", "token" or "id_token". -
scope
String scope
Requested scope(s). -
supportedClientAuthenticationMethods
String supportedClientAuthenticationMethods
Control the list of supported client authentication methods that can be accepted and understood by this integration. Multiple methods may be specified and separated via a comma. Example might beclient_secret_basic,client_secret_post,client_secret_jwt
. -
tokenExpirationAdvance
String tokenExpirationAdvance
Default time period advance (in seconds) for considering an access token expired. -
useNonce
boolean useNonce
Whether an initial nonce should be to used initially for replay attack mitigation.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jAppleOidcClientProperties
class Pac4jAppleOidcClientProperties extends BasePac4jOidcClientProperties implements Serializable- serialVersionUID:
- 2258382317533639638L
-
Serialized Fields
-
privateKey
String privateKey
Private key obtained from Apple. Must point to a resource that resolved to an elliptic curve (EC) private key. -
privateKeyId
String privateKeyId
The identifier for the private key. Usually the 10 character Key ID of the private key you create in Apple. -
teamId
String teamId
Apple team identifier. Usually, 10 character string given to you by Apple. -
timeout
String timeout
Client secret expiration timeout.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jAzureOidcClientProperties
class Pac4jAzureOidcClientProperties extends BasePac4jOidcClientProperties implements Serializable- serialVersionUID:
- 1259382317533639638L
-
Serialized Fields
-
tenant
String tenant
Azure AD tenant name. After tenant is configured,BasePac4jOidcClientProperties.getDiscoveryUri()
property will be overridden.Azure AD tenant name can take 4 different values:
common
: Users with both a personal Microsoft account and a work or school account from Azure AD can sign in.organizations
: Only users with work or school accounts from Azure AD can sign in.consumers
: Only users with a personal Microsoft account can sign in.- Specific tenant domain name or ID: Only user with account under that the specified tenant can login
-
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jGenericOidcClientProperties
class Pac4jGenericOidcClientProperties extends BasePac4jOidcClientProperties implements Serializable- serialVersionUID:
- 3359382317533639638L
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jGoogleOidcClientProperties
class Pac4jGoogleOidcClientProperties extends BasePac4jOidcClientProperties implements Serializable- serialVersionUID:
- 3259382317533639638L
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jKeyCloakOidcClientProperties
class Pac4jKeyCloakOidcClientProperties extends BasePac4jOidcClientProperties implements Serializable- serialVersionUID:
- 3209382317533639638L
-
Class org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jOidcClientProperties
class Pac4jOidcClientProperties extends Object implements Serializable- serialVersionUID:
- 3359382317533639638L
-
Serialized Fields
-
apple
Pac4jAppleOidcClientProperties apple
Settings specific to delegating authentication to apple signin. -
azure
Pac4jAzureOidcClientProperties azure
Settings specific to delegating authentication to azure. -
generic
Pac4jGenericOidcClientProperties generic
Settings specific to delegating authentication to generic oidc. -
google
Pac4jGoogleOidcClientProperties google
Settings specific to delegating authentication to google. -
keycloak
Pac4jKeyCloakOidcClientProperties keycloak
Settings specific to delegating authentication to keycloak.
-
-
-
Package org.apereo.cas.configuration.model.support.pac4j.saml
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientMetadataProperties
class Pac4jSamlClientMetadataProperties extends Object implements Serializable- serialVersionUID:
- -562839796533384951L
-
Serialized Fields
-
identityProviderMetadataPath
String identityProviderMetadataPath
The metadata location of the identity provider that is to handle authentications. The location can be specified as a direct absolute path to the metadata file or it may also be a URL to the identity provider's metadata endpoint. -
serviceProvider
Pac4jSamlServiceProviderMetadataProperties serviceProvider
SAML2 service provider metadata settings.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientProperties
class Pac4jSamlClientProperties extends Pac4jBaseClientProperties implements Serializable- serialVersionUID:
- -862819796533384951L
-
Serialized Fields
-
acceptedSkew
String acceptedSkew
Maximum skew in seconds between SP and IDP clocks. This skew is added onto theNotOnOrAfter
field in seconds for the SAML response validation. -
allSignatureValidationDisabled
boolean allSignatureValidationDisabled
Whether the signature validation should be disabled. Never set this property totrue
in production. -
assertionConsumerServiceIndex
int assertionConsumerServiceIndex
Allows the SAML client to select a specific ACS url from the metadata, if defined. A negative value de-activates the selection process and is the default. -
attributeConsumingServiceIndex
int attributeConsumingServiceIndex
AttributeConsumingServiceIndex attribute of AuthnRequest element. The given index points out a specific AttributeConsumingService structure, declared into the Service Provider (SP)'s metadata, to be used to specify all the attributes that the Service Provider is asking to be released within the authentication assertion returned by the Identity Provider (IdP). This attribute won't be sent with the request unless a positive value (including 0) is defined. -
authnContextClassRef
List<String> authnContextClassRef
Requested authentication context class in authn requests. -
authnContextComparisonType
String authnContextComparisonType
Specifies the comparison rule that should be used to evaluate the specified authentication methods. For example, if exact is specified, the authentication method used must match one of the authentication methods specified by the AuthnContextClassRef elements. AuthContextClassRef element require comparison rule to be used to evaluate the specified authentication methods. If not explicitly specified "exact" rule will be used by default. Other acceptable values are minimum, maximum, better. -
blockedSignatureSigningAlgorithms
List<String> blockedSignatureSigningAlgorithms
Collection of signing signature blocked algorithms, if any, to override the global defaults. -
certificateExpirationDays
int certificateExpirationDays
Define the validity period for the certificate in number of days. The end-date of the certificate is controlled by this setting, when defined as a value greater than zero. -
certificateNameToAppend
String certificateNameToAppend
A name to append to signing certificates generated. The named part appended can be useful to identify for which clientName it was generated If no name is provided the default certificate name will be used. -
certificateSignatureAlg
String certificateSignatureAlg
Certificate signature algorithm to use when generating the certificate. -
destinationBinding
String destinationBinding
The destination binding to use when creating authentication requests. -
forceAuth
boolean forceAuth
Whether authentication requests should be tagged as forced auth. -
forceKeystoreGeneration
boolean forceKeystoreGeneration
Force generation of the keystore. -
keystorePassword
String keystorePassword
The password to use when generating the SP/CAS keystore. -
keystorePath
String keystorePath
Location of the keystore to use and generate the SP/CAS keystore. -
logoutRequestBinding
String logoutRequestBinding
The destination binding to use when creating logout requests. -
logoutResponseBindingType
String logoutResponseBindingType
Control the logout response binding type during logout operations as invoked by an external IdP and in response to logout requests. -
mappedAttributes
List<String> mappedAttributes
Describes the map of attributes that are to be fetched from the credential (map keys) and then transformed/renamed using map values before they are put into a profile. An example might be to fetchgivenName
from credential and rename it tourn:oid:2.5.4.42
or vice versa. Note that this setting only applies to attribute names, and not friendly-names. List arbitrary mappings of claims. Uses a "directed list" where the allowed syntax would begivenName->urn:oid:2.5.4.42
. -
maximumAuthenticationLifetime
String maximumAuthenticationLifetime
Once you have an authenticated session on the identity provider, usually it won't prompt you again to enter your credentials and it will automatically generate a new assertion for you. By default, the SAML client will accept assertions based on a previous authentication for one hour. You can adjust this behavior by modifying this setting. The unit of time here is seconds. -
messageStoreFactory
String messageStoreFactory
Factory implementing this interface provides services for storing and retrieval of SAML messages for e.g. verification of retrieved responses. The default factory is an always empty store. You may chooseorg.pac4j.saml.store.HttpSessionStore
instead which allows SAML messages to be stored in a distributed session store specially required for high availability deployments and validation operations.Available options are:
EMPTY
: Uses theEmptyStoreFactory
SESSION
: Uses theHttpSessionStore
- Fully-qualified class name of the message store implementation.
Also note that the message store implementation can be supplied and configured at runtime as a Spring
@Bean
with the typeSAMLMessageStoreFactory
which, if found in the available application context, will override all other options. -
metadata
Pac4jSamlClientMetadataProperties metadata
Metadata configuration properties. -
nameIdAttribute
String nameIdAttribute
The attribute name that should be used and extracted from the SAML2 response to identify and build a NameID value, when the response is processed and consumed. -
nameIdPolicyAllowCreate
TriStateBoolean nameIdPolicyAllowCreate
Flag to indicate whether the allow-create flags for nameid policies should be set to true, false or ignored/defined. -
nameIdPolicyFormat
String nameIdPolicyFormat
NameID policy to request in the authentication requests. -
partialLogoutAsSuccess
boolean partialLogoutAsSuccess
Logouts are only successful if the IdP was able to inform all services, otherwise it will respond withPartialLogout
. This setting allows clients such as CAS to ignore such server-side behavior. If the IdP reports back a partial logout, this setting instructs CAS whether it should accept or deny that response. -
passive
boolean passive
Whether authentication requests should be tagged as passive. -
privateKeyPassword
String privateKeyPassword
The password to use when generating the private key for the SP/CAS keystore. -
providerName
String providerName
Provider name set for the saml authentication request. Sets the human-readable name of the requester for use by the presenter's user agent or the identity provider. -
requestedAttributes
List<Pac4jSamlServiceProviderRequestedAttribute> requestedAttributes
List of attributes requested by the service provider that would be put into the service provider metadata. -
requestInitiatorUrl
String requestInitiatorUrl
When generating SAML2 metadata, configure and set the request initiator location attribute. -
responseBindingType
String responseBindingType
The SAML2 response binding type to use when generating metadata. This ultimately controls the binding type of the assertion consumer service in the metadata. Default value is typicallyurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
. -
responseDestinationMandatory
boolean responseDestinationMandatory
When validating the response, ensure it has a value set for theDestination
attribute. -
saml2AttributeConverter
String saml2AttributeConverter
Controls the way SAML2 attributes are converted from the authentication response into pac4j attributes. By default, values of complex types are serialized into a single attribute. To change this behaviour, a converter class implementing theAttributeConverter
interface.- See Also:
-
serviceProviderEntityId
String serviceProviderEntityId
The entity id of the SP/CAS that is used in the SP metadata generation process. -
signatureAlgorithms
List<String> signatureAlgorithms
Collection of signing signature algorithms, if any, to override the global defaults. -
signatureCanonicalizationAlgorithm
String signatureCanonicalizationAlgorithm
The signing signature canonicalization algorithm, if any, to override the global defaults. -
signatureReferenceDigestMethods
List<String> signatureReferenceDigestMethods
Collection of signing signature reference digest methods, if any, to override the global defaults. -
signAuthnRequest
boolean signAuthnRequest
Whether or not the authnRequest should be signed. -
signServiceProviderLogoutRequest
boolean signServiceProviderLogoutRequest
Whether or not the Logout Request sent from the SP should be signed. -
signServiceProviderMetadata
boolean signServiceProviderMetadata
Whether or not SAML SP metadata should be signed when generated. -
singleLogoutServiceUrl
String singleLogoutServiceUrl
When generating SAML2 metadata, configure and set the single logout service URL attribute. -
supportedProtocols
List<String> supportedProtocols
When generating SAML2 metadata, configure and set the list of supported protocols in the metadata. -
useNameQualifier
boolean useNameQualifier
Whether name qualifiers should be produced in the final saml response. -
wantsAssertionsSigned
boolean wantsAssertionsSigned
Whether metadata should be marked to request sign assertions. -
wantsResponsesSigned
boolean wantsResponsesSigned
Whether a response has to be mandatory signed.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlServiceProviderMetadataFileSystemProperties
class Pac4jSamlServiceProviderMetadataFileSystemProperties extends Object implements Serializable- serialVersionUID:
- -992809796533384951L
-
Serialized Fields
-
location
String location
Location of the SP metadata to use and generate on the file system. If the metadata file already exists, it will be ignored and reused.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlServiceProviderMetadataJdbcProperties
class Pac4jSamlServiceProviderMetadataJdbcProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -5114734720383722585L
-
Serialized Fields
-
tableName
String tableName
The table name in the database that holds the SAML2 service provider metadata. The table structure and columns must be created and exist beforehand, and must match the following SQL statements, with expected adjustments depending on database type, driver and dialect:CREATE TABLE sp_metadata (entityId VARCHAR(512), metadata TEXT)
-
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlServiceProviderMetadataMongoDbProperties
class Pac4jSamlServiceProviderMetadataMongoDbProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -5114734720383722585L
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlServiceProviderMetadataProperties
class Pac4jSamlServiceProviderMetadataProperties extends Object implements Serializable- serialVersionUID:
- -552809796533384951L
-
Serialized Fields
-
fileSystem
Pac4jSamlServiceProviderMetadataFileSystemProperties fileSystem
Location of the SP metadata to use and generate on the file system. If the metadata file already exists, it will be ignored and reused. -
jdbc
Pac4jSamlServiceProviderMetadataJdbcProperties jdbc
Location of the SP metadata to use and generate using a relational database (i.e. MySQL) instance. -
mongo
Pac4jSamlServiceProviderMetadataMongoDbProperties mongo
Location of the SP metadata to use and generate using a MongoDb instance.
-
-
Class org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlServiceProviderRequestedAttribute
class Pac4jSamlServiceProviderRequestedAttribute extends Object implements Serializable- serialVersionUID:
- -862819796533384951L
-
-
Package org.apereo.cas.configuration.model.support.passwordless
-
Class org.apereo.cas.configuration.model.support.passwordless.PasswordlessAuthenticationAccountsProperties
class PasswordlessAuthenticationAccountsProperties extends Object implements Serializable- serialVersionUID:
- -8424650395669337488L
-
Serialized Fields
-
groovy
PasswordlessAuthenticationGroovyAccountsProperties groovy
Passwordless authentication settings via Groovy. -
json
PasswordlessAuthenticationJsonAccountsProperties json
Passwordless authentication settings via JSON resource. -
ldap
PasswordlessAuthenticationLdapAccountsProperties ldap
Passwordless authentication settings via LDAP. -
mongo
PasswordlessAuthenticationMongoDbAccountsProperties mongo
Passwordless authentication settings via MongoDb. -
rest
PasswordlessAuthenticationRestAccountsProperties rest
Passwordless authentication settings via REST. -
simple
Map<String,
String> simple Passwordless authentication settings using static accounts. The key is the user identifier, while the value is the form of contact such as email, sms, etc.
-
-
Class org.apereo.cas.configuration.model.support.passwordless.PasswordlessAuthenticationCoreProperties
class PasswordlessAuthenticationCoreProperties extends Object implements Serializable- serialVersionUID:
- 6726382874579042117L
-
Serialized Fields
-
delegatedAuthenticationActivated
boolean delegatedAuthenticationActivated
Allow passwordless authentication to skip its own flow in favor of delegated authentication providers that may be available and defined in CAS.If delegated authentication is activated, CAS will skip its normal passwordless authentication flow in favor of the requested delegated authentication provider. If no delegated providers are available, passwordless authentication flow will commence as usual.
-
delegatedAuthenticationSelectorScript
SpringResourceProperties delegatedAuthenticationSelectorScript
Select the delegated identity provider for the passwordless user using a script. -
enabled
boolean enabled
Flag to indicate if paswordless authentication is enabled. -
multifactorAuthenticationActivated
boolean multifactorAuthenticationActivated
Allow passwordless authentication to skip its own flow in favor of multifactor authentication providers that may be available and defined in CAS.If multifactor authentication is activated, and defined MFA triggers in CAS signal availability and eligibility of an MFA flow for the given passwordless user, CAS will skip its normal passwordless authentication flow in favor of the requested multifactor authentication provider. If no MFA providers are available, or if no triggers require MFA for the verified passwordless user, passwordless authentication flow will commence as usual.
-
-
Class org.apereo.cas.configuration.model.support.passwordless.PasswordlessAuthenticationProperties
class PasswordlessAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 8726382874579042117L
-
Serialized Fields
-
accounts
PasswordlessAuthenticationAccountsProperties accounts
Properties to instruct CAS how accounts for passwordless authentication should be located. -
core
PasswordlessAuthenticationCoreProperties core
Core passwordless settings. -
tokens
PasswordlessAuthenticationTokensProperties tokens
Properties to instruct CAS how tokens for passwordless authentication should be located.
-
-
Class org.apereo.cas.configuration.model.support.passwordless.PasswordlessAuthenticationTokensProperties
class PasswordlessAuthenticationTokensProperties extends Object implements Serializable- serialVersionUID:
- 8371063350377031703L
-
Serialized Fields
-
core
PasswordlessAuthenticationTokensCoreProperties core
Core settings on passwordless authn. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings for passwordless authn. -
jpa
PasswordlessAuthenticationJpaTokensProperties jpa
Passwordless authentication settings via JPA. -
mail
EmailProperties mail
Email settings for notifications. -
mongo
PasswordlessAuthenticationMongoDbTokensProperties mongo
Passwordless authentication settings via MongoDb. -
rest
PasswordlessAuthenticationRestTokensProperties rest
Passwordless authentication settings via REST. -
sms
SmsProperties sms
SMS settings for notifications.
-
-
-
Package org.apereo.cas.configuration.model.support.passwordless.account
-
Class org.apereo.cas.configuration.model.support.passwordless.account.PasswordlessAuthenticationGroovyAccountsProperties
class PasswordlessAuthenticationGroovyAccountsProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.support.passwordless.account.PasswordlessAuthenticationJsonAccountsProperties
class PasswordlessAuthenticationJsonAccountsProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.support.passwordless.account.PasswordlessAuthenticationLdapAccountsProperties
class PasswordlessAuthenticationLdapAccountsProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -1102345678378393382L
-
Serialized Fields
-
emailAttribute
String emailAttribute
Name of the LDAP attribute that indicates the user's email address. -
nameAttribute
String nameAttribute
Deprecated.This property will likely be removed in v8.Name of the LDAP attribute that indicates the user's name. -
phoneAttribute
String phoneAttribute
Name of the LDAP attribute that indicates the user's phone. -
requestPasswordAttribute
String requestPasswordAttribute
Name of the LDAP attribute that is the passwordless flow to request a password prompt from user. The attribute value must be a boolean. Acceoted values aretrue
,false
,on
,off
,yes
,no
,Y
,T
,F
,N
, etc. Comparisons are not case sensitive. -
usernameAttribute
String usernameAttribute
Name of the LDAP attribute that indicates the username.
-
-
Class org.apereo.cas.configuration.model.support.passwordless.account.PasswordlessAuthenticationMongoDbAccountsProperties
class PasswordlessAuthenticationMongoDbAccountsProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -6304734732383722585L
-
Class org.apereo.cas.configuration.model.support.passwordless.account.PasswordlessAuthenticationRestAccountsProperties
class PasswordlessAuthenticationRestAccountsProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
-
Package org.apereo.cas.configuration.model.support.passwordless.token
-
Class org.apereo.cas.configuration.model.support.passwordless.token.PasswordlessAuthenticationJpaTokensProperties
class PasswordlessAuthenticationJpaTokensProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 7647381223153797806L
-
Serialized Fields
-
cleaner
ScheduledJobProperties cleaner
Settings that control the background cleaner process.
-
-
Class org.apereo.cas.configuration.model.support.passwordless.token.PasswordlessAuthenticationMongoDbTokensProperties
class PasswordlessAuthenticationMongoDbTokensProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- 4347381223153797806L
-
Class org.apereo.cas.configuration.model.support.passwordless.token.PasswordlessAuthenticationRestTokensProperties
class PasswordlessAuthenticationRestTokensProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
Class org.apereo.cas.configuration.model.support.passwordless.token.PasswordlessAuthenticationTokensCoreProperties
class PasswordlessAuthenticationTokensCoreProperties extends Object implements Serializable- serialVersionUID:
- 1371063350377031703L
-
Serialized Fields
-
expiration
String expiration
Indicate how long should the token be considered valid.
-
-
-
Package org.apereo.cas.configuration.model.support.phone
-
Class org.apereo.cas.configuration.model.support.phone.PhoneProperties
class PhoneProperties extends Object implements Serializable- serialVersionUID:
- -3713886839517507306L
-
Serialized Fields
-
attributeName
String attributeName
Principal attribute name that indicates the destination phone number for this voice message. The attribute must already be resolved and available to the CAS principal. -
from
String from
The from address for the message. -
text
String text
The body of the phone call message.
-
-
-
Package org.apereo.cas.configuration.model.support.pm
-
Class org.apereo.cas.configuration.model.support.pm.ForgotUsernamePasswordManagementProperties
class ForgotUsernamePasswordManagementProperties extends Object implements Serializable- serialVersionUID:
- 4850199066765183587L
-
Serialized Fields
-
enabled
boolean enabled
Whether forgot/reset username functionality should be enabled. -
googleRecaptcha
GoogleRecaptchaProperties googleRecaptcha
Google reCAPTCHA settings. -
mail
EmailProperties mail
Email settings for notifications.
-
-
Class org.apereo.cas.configuration.model.support.pm.GroovyPasswordManagementProperties
class GroovyPasswordManagementProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.support.pm.JdbcPasswordManagementProperties
class JdbcPasswordManagementProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 4746591112640513465L
-
Serialized Fields
-
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder properties. -
sqlChangePassword
String sqlChangePassword
SQL query to change the password and update. -
sqlDeleteSecurityQuestions
String sqlDeleteSecurityQuestions
SQL query to delete security questions for the account, if any. -
sqlFindEmail
String sqlFindEmail
SQL query to locate the user email address. -
sqlFindPhone
String sqlFindPhone
SQL query to locate the user phone number. -
sqlFindUser
String sqlFindUser
SQL query to locate the user via email. -
sqlGetSecurityQuestions
String sqlGetSecurityQuestions
SQL query to locate security questions for the account, if any. -
sqlUnlockAccount
String sqlUnlockAccount
SQL query to unlock accounts. -
sqlUpdateSecurityQuestions
String sqlUpdateSecurityQuestions
SQL query to update security questions for the account, if any.
-
-
Class org.apereo.cas.configuration.model.support.pm.JsonPasswordManagementProperties
class JsonPasswordManagementProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 1129426669588789974L
-
Class org.apereo.cas.configuration.model.support.pm.LdapPasswordManagementProperties
class LdapPasswordManagementProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -2610186056194686825L
-
Serialized Fields
-
accountLockedAttribute
String accountLockedAttribute
Name of LDAP attribute that represents the account locked status. The value of the attribute is typically set to"true"
if the account is ever updated to indicated a locked status. For Active Directory, this attribute might be calledlockoutTime
. -
accountUnlockedAttributeValues
String[] accountUnlockedAttributeValues
When CAS is about to unlock the user account, it will use theLdapPasswordManagementProperties.accountLockedAttribute
setting to locate the appropriate attribute for the user entry. This attribute will then be assigned the value(s) defined here to unlock the account.For Active Directory and in scenarios where
LdapPasswordManagementProperties.accountLockedAttribute
is set tolockoutTime
, this value might be set to zero. A value of zero means that the account is not currently locked out.Note that the value defined here may be treated as case sensitive by the LDAP server.
-
securityQuestionsAttributes
Map<String,
String> securityQuestionsAttributes Collection of attribute names that indicate security questions answers. This is done via a key-value structure where the key is the attribute name for the security question and the value is the attribute name for the answer linked to the question. -
type
AbstractLdapProperties.LdapType type
The specific variant of LDAP based on which update operations will be constructed. Accepted values are: *AD
GENERIC
FreeIPA
EDirectory
-
usernameAttribute
String usernameAttribute
Username attribute required by LDAP.
-
-
Class org.apereo.cas.configuration.model.support.pm.PasswordHistoryCoreProperties
class PasswordHistoryCoreProperties extends Object implements Serializable- serialVersionUID:
- 2212199066765183587L
-
Serialized Fields
-
enabled
boolean enabled
Flag to indicate if password history tracking is enabled.
-
-
Class org.apereo.cas.configuration.model.support.pm.PasswordHistoryProperties
class PasswordHistoryProperties extends Object implements Serializable- serialVersionUID:
- 2211199066765183587L
-
Serialized Fields
-
core
PasswordHistoryCoreProperties core
Password history core/common settings. -
groovy
SpringResourceProperties groovy
Handle password history with Groovy.
-
-
Class org.apereo.cas.configuration.model.support.pm.PasswordManagementCoreProperties
class PasswordManagementCoreProperties extends Object implements Serializable- serialVersionUID:
- -261644582798411176L
-
Serialized Fields
-
autoLogin
boolean autoLogin
Flag to indicate whether successful password change should trigger login automatically. -
enabled
boolean enabled
Flag to indicate if password management facility is enabled. -
passwordPolicyCharacterSet
String passwordPolicyCharacterSet
The character set that CAS may use to generate and suggest new passwords. -
passwordPolicyPasswordLength
long passwordPolicyPasswordLength
The password length used by CAS when suggesting generated passwords. -
passwordPolicyPattern
String passwordPolicyPattern
A String value representing password policy regex pattern. Minimum 8 and Maximum 10 characters at least 1 Uppercase Alphabet, 1 Lowercase Alphabet, 1 Number and 1 Special Character.
-
-
Class org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties
class PasswordManagementProperties extends Object implements Serializable- serialVersionUID:
- -260644582798411176L
-
Serialized Fields
-
core
PasswordManagementCoreProperties core
Password management core settings. -
forgotUsername
ForgotUsernamePasswordManagementProperties forgotUsername
Settings related to fetching usernames. -
googleRecaptcha
GoogleRecaptchaProperties googleRecaptcha
Google reCAPTCHA settings. -
groovy
GroovyPasswordManagementProperties groovy
Handle password policy via Groovy script. -
history
PasswordHistoryProperties history
Settings related to password history management. -
jdbc
JdbcPasswordManagementProperties jdbc
Manage account passwords in database. -
json
JsonPasswordManagementProperties json
Manage account passwords in JSON resources. -
ldap
List<LdapPasswordManagementProperties> ldap
Manage account passwords in LDAP. -
reset
ResetPasswordManagementProperties reset
Settings related to resetting password. -
rest
RestfulPasswordManagementProperties rest
Manage account passwords via REST. -
webflow
WebflowAutoConfigurationProperties webflow
The webflow configuration.
-
-
Class org.apereo.cas.configuration.model.support.pm.ResetPasswordManagementProperties
class ResetPasswordManagementProperties extends Object implements Serializable- serialVersionUID:
- 3453970349530670459L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings on how to reset the password. -
expiration
String expiration
How long in minutes should the password expiration link remain valid. -
includeClientIpAddress
boolean includeClientIpAddress
Whether the Password Management Token will contain the client IP Address. -
includeServerIpAddress
boolean includeServerIpAddress
Whether the Password Management Token will contain the server IP Address. -
mail
EmailProperties mail
Email settings for notifications. -
multifactorAuthenticationEnabled
boolean multifactorAuthenticationEnabled
Controls whether password reset operations must activate and support a multifactor authentication flow based on the set of available MFA providers that are configured and active, before reset instructions can be shared and sent. -
numberOfUses
int numberOfUses
How many times you can use the password reset link. Stricly lower than 1 means infinite. -
securityQuestionsEnabled
boolean securityQuestionsEnabled
Whether reset operations require security questions, or should they be marked as optional. -
sms
SmsProperties sms
SMS settings for notifications.
-
-
Class org.apereo.cas.configuration.model.support.pm.RestfulPasswordManagementProperties
class RestfulPasswordManagementProperties extends Object implements Serializable- serialVersionUID:
- 5262948164099973872L
-
Serialized Fields
-
endpointPassword
String endpointPassword
Password for Basic-Auth at the password management endpoints. -
endpointUrlAccountUnlock
String endpointUrlAccountUnlock
Endpoint URL to use when unlocking account. -
endpointUrlChange
String endpointUrlChange
Endpoint URL to use when updating passwords.. -
endpointUrlEmail
String endpointUrlEmail
Endpoint URL to use when locating email addresses. -
endpointUrlPhone
String endpointUrlPhone
Endpoint URL to use when locating phone numbers. -
endpointUrlSecurityQuestions
String endpointUrlSecurityQuestions
Endpoint URL to use when locating security questions. -
endpointUrlUser
String endpointUrlUser
Endpoint URL to use when locating user names. -
endpointUsername
String endpointUsername
Username for Basic-Auth at the password management endpoints. -
fieldNamePassword
String fieldNamePassword
Field name for password field when password change requests are submitted. -
fieldNamePasswordOld
String fieldNamePasswordOld
Field name for oldPassword field when password change requests are submitted. -
fieldNameUser
String fieldNameUser
Field name for username field when password change requests are submitted.
-
-
-
Package org.apereo.cas.configuration.model.support.qr
-
Class org.apereo.cas.configuration.model.support.qr.JsonQRAuthenticationProperties
class JsonQRAuthenticationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 7179027843747126083L
-
Class org.apereo.cas.configuration.model.support.qr.QRAuthenticationProperties
class QRAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 8726382874579042117L
-
Serialized Fields
-
allowedOrigins
List<String> allowedOrigins
Configure allowedOrigin
header values. This check is mostly designed for browser clients. There is nothing preventing other types of client to modify theOrigin
header value.When SockJS is enabled and origins are restricted, transport types that do not allow to check request origin (Iframe based transports) are disabled. As a consequence, IE 6 to 9 are not supported when origins are restricted.
Each provided allowed origin must start by "http://", "https://" or be "*" (means that all origins are allowed). By default, only same origin requests are allowed (empty list).
-
json
JsonQRAuthenticationProperties json
Track registered devices in a repository backed by a JSON resource.
-
-
-
Package org.apereo.cas.configuration.model.support.quartz
-
Class org.apereo.cas.configuration.model.support.quartz.ScheduledJobProperties
class ScheduledJobProperties extends Object implements Serializable- serialVersionUID:
- 9059671958275130605L
-
Serialized Fields
-
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often the job should run.
-
-
Class org.apereo.cas.configuration.model.support.quartz.SchedulingProperties
class SchedulingProperties extends Object implements Serializable- serialVersionUID:
- -1522227059439367394L
-
Serialized Fields
-
enabled
boolean enabled
Whether scheduler should be enabled to schedule the job to run. -
enabledOnHost
String enabledOnHost
OverridesSchedulingProperties.enabled
property value of true if this property does not match hostname of CAS server. This can be useful if deploying CAS with an image in a statefulset where all names are predictable but where having different configurations for different servers is hard. The value can be an exact hostname or a regular expression that will be used to match the hostname. -
repeatInterval
String repeatInterval
String representation of a repeat interval of re-loading data for a data store implementation. This is the timeout between consecutive job’s executions. -
startDelay
String startDelay
String representation of a start delay of loading data for a data store implementation. This is the delay between scheduler startup and first job’s execution
-
-
-
Package org.apereo.cas.configuration.model.support.radius
-
Class org.apereo.cas.configuration.model.support.radius.RadiusClientProperties
class RadiusClientProperties extends Object implements Serializable- serialVersionUID:
- -7961769318651312854L
-
Serialized Fields
-
accountingPort
int accountingPort
The accounting port. -
authenticationPort
int authenticationPort
The authentication port. -
inetAddress
String inetAddress
Server address to connect and establish a session. -
sharedSecret
String sharedSecret
Secret/password to use for the initial bind. -
socketTimeout
int socketTimeout
Socket connection timeout in milliseconds. -
transportType
RadiusClientProperties.RadiusClientTransportTypes transportType
Transport type to use by this client to connect to the server.
-
-
Class org.apereo.cas.configuration.model.support.radius.RadiusProperties
class RadiusProperties extends Object implements Serializable- serialVersionUID:
- 5244307919878753714L
-
Serialized Fields
-
client
RadiusClientProperties client
RADIUS client settings. -
failoverOnAuthenticationFailure
boolean failoverOnAuthenticationFailure
Whether authentication errors should be skipped and fail over to the next server. -
failoverOnException
boolean failoverOnException
Whether catastrophic errors should be skipped and fail over to the next server. -
name
String name
The name of the authentication handler. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings. -
server
RadiusServerProperties server
RADIUS server settings. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.radius.RadiusServerProperties
class RadiusServerProperties extends Object implements Serializable- serialVersionUID:
- -3911282132573730184L
-
Serialized Fields
-
nasIdentifier
String nasIdentifier
The NAS identifier. -
nasIpAddress
String nasIpAddress
The NAS IP address. -
nasIpv6Address
String nasIpv6Address
The NAS IPv6 address. -
nasPort
long nasPort
The NAS port. -
nasPortId
long nasPortId
The NAS port id. -
nasPortType
int nasPortType
The NAS port type. -
nasRealPort
long nasRealPort
The NAS real port. -
protocol
String protocol
Radius protocol to use when communicating with the server. -
retries
int retries
Number of re-try attempts when dealing with connection and authentication failures.
-
-
-
Package org.apereo.cas.configuration.model.support.redis
-
Class org.apereo.cas.configuration.model.support.redis.AuditRedisProperties
class AuditRedisProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -8112996050439638782L
-
Serialized Fields
-
asynchronous
boolean asynchronous
Execute the recording of audit records in async manner. This setting must almost always be set to true.
-
-
Class org.apereo.cas.configuration.model.support.redis.BaseRedisProperties
class BaseRedisProperties extends Object implements Serializable- serialVersionUID:
- -2600996981339638782L
-
Serialized Fields
-
cluster
RedisClusterProperties cluster
Redis cluster settings. -
connectTimeout
String connectTimeout
Connection timeout. -
database
int database
Database index used by the connection factory. -
enabled
boolean enabled
Whether the module is enabled or not, defaults to true. -
host
String host
Redis server host. -
keyCertificateChainFile
File keyCertificateChainFile
May be used when making SSL connections. Sets the certificate file to use for client authentication. This is typically anX.509
certificate file (or chain file) in PEM format. -
keyFile
File keyFile
May be used when making SSL connections. Sets the key file for client authentication. The key is reloaded on each connection attempt that allows to replace certificates during runtime. This is typically aPKCS#8
private key file in PEM format. -
keyPassword
String keyPassword
The password of theBaseRedisProperties.keyFile
, ornull
if it's not password-protected. -
password
String password
Login password of the redis server. -
pool
RedisPoolProperties pool
Redis connection pool settings. -
port
int port
Redis server port. -
protocolVersion
String protocolVersion
Redis protocol version. -
readFrom
BaseRedisProperties.RedisReadFromTypes readFrom
Setting that describes how Lettuce routes read operations to replica nodes. Note that modes referencing MASTER/SLAVE are deprecated (but still supported) in the Lettuce redis client dependency so migrate config to UPSTREAM/REPLICA. -
scanCount
long scanCount
Redis scan count option. When and if specified, SCAN operations would be "counted" or limited by this setting. While SCAN does not provide guarantees about the number of elements returned at every iteration, it is possible to empirically adjust the behavior of SCAN using the COUNT option. Basically with COUNT the user specified the amount of work that should be done at every call in order to retrieve elements from the collection. This is just a hint for the implementation, however generally speaking this is what you could expect most of the times from the implementation. -
sentinel
RedisSentinelProperties sentinel
Redis Sentinel settings. -
shareNativeConnections
Boolean shareNativeConnections
The shared native connection is never closed by Lettuce connection, therefore it is not validated by default when connections are retrieved. If this setting istrue
, a shared connection will be used for regular operations and a connection provider will be used to select a connection for blocking and tx operations only, which should not share a connection. If native connection sharing is disabled, new (or pooled) connections will be used for all operations. By default, multiple connections share a single thread-safe native connection. If you enable connection pooling, then native connection sharing will be disabled and the connection pool will be used for all operations. You may however explicitly control connection sharing via this setting as an override. -
startTls
boolean startTls
Start mutual TLS. In order to support TLS, Redis should be configured with a X.509 certificate and a private key. In addition, it is necessary to specify a CA certificate bundle file or path to be used as a trusted root when validating certificates. -
timeout
String timeout
Command timeout. -
uri
String uri
Database URI. -
username
String username
Login username of the redis server. -
useSsl
boolean useSsl
Whether or not to use SSL for connection factory. -
verifyPeer
boolean verifyPeer
Control how peer verification is handled with redis connections. Peer verification is a security feature that checks if the host you're connecting to is who it says it is. This is often done by checking a digital certificate.
-
-
Class org.apereo.cas.configuration.model.support.redis.RedisAuthenticationProperties
class RedisAuthenticationProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -1232996050439638782L
-
Serialized Fields
-
name
String name
The name of the authentication handler. -
order
int order
Order of authentication handler in chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for this handler. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation settings.
-
-
Class org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties
class RedisClusterNodeProperties extends Object implements Serializable- serialVersionUID:
- 2912983343579258662L
-
Serialized Fields
-
Class org.apereo.cas.configuration.model.support.redis.RedisClusterProperties
class RedisClusterProperties extends Object implements Serializable- serialVersionUID:
- 5236837157740950831L
-
Serialized Fields
-
adaptiveTopologyRefresh
boolean adaptiveTopologyRefresh
Whether adaptive topology refreshing using all available refresh triggers should be used. -
dynamicRefreshSources
boolean dynamicRefreshSources
Whether to discover and query all cluster nodes for obtaining the cluster topology. When set to false, only the initial seed nodes are used as sources for topology discovery. -
maxRedirects
int maxRedirects
The max number of redirects to follow. -
nodes
List<RedisClusterNodeProperties> nodes
List of nodes available in the redis cluster. -
password
String password
The cluster connection's password. -
topologyRefreshPeriod
String topologyRefreshPeriod
Enables periodic refresh of cluster topology and sets the refresh period. -
username
String username
The cluster connection's username.
-
-
Class org.apereo.cas.configuration.model.support.redis.RedisPoolProperties
class RedisPoolProperties extends Object implements Serializable- serialVersionUID:
- 8534823157764550894L
-
Serialized Fields
-
enabled
boolean enabled
Enable the pooling configuration. -
fairness
boolean fairness
Returns whether or not the pool serves threads waiting to borrow objects fairly. True means that waiting threads are served as if waiting in a FIFO queue. -
lifo
boolean lifo
Returns whether the pool has LIFO (last in, first out) behaviour with respect to idle objects - always returning the most recently used object from the pool, or as a FIFO (first in, first out) queue, where the pool always returns the oldest object in the idle object pool. -
maxActive
int maxActive
Max number of connections that can be allocated by the pool at a given time. Use a negative value for no limit. -
maxIdle
int maxIdle
Max number of "idle" connections in the pool. Use a negative value to indicate an unlimited number of idle connections. -
maxWait
String maxWait
Maximum amount of time (in milliseconds) a connection allocation should block before throwing an exception when the pool is exhausted. Use a negative value to block indefinitely. -
minEvictableIdleTimeMillis
long minEvictableIdleTimeMillis
Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)). When non-positive, no objects will be evicted from the pool due to idle time alone. -
minIdle
int minIdle
Target for the minimum number of idle connections to maintain in the pool. This setting only has an effect if it is positive. -
numTestsPerEvictionRun
int numTestsPerEvictionRun
Sets the maximum number of objects to examine during each run (if any) of the idle object evictor thread. When positive, the number of tests performed for a run will be the minimum of the configured value and the number of idle instances in the pool. When negative, the number of tests performed will be ceil(getNumIdle()/ abs(getNumTestsPerEvictionRun())) which means that when the value is -n roughly one nth of the idle objects will be tested per run. -
softMinEvictableIdleTimeMillis
long softMinEvictableIdleTimeMillis
Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)), with the extra condition that at least minIdle object instances remain in the pool. This setting is overridden by getMinEvictableIdleTimeMillis() (that is, if getMinEvictableIdleTimeMillis() is positive, then getSoftMinEvictableIdleTimeMillis() is ignored). -
testOnBorrow
boolean testOnBorrow
Returns whether objects borrowed from the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed, and a new attempt will be made to borrow an object from the pool. -
testOnCreate
boolean testOnCreate
Returns whether objects created for the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, then borrowObject() will fail. -
testOnReturn
boolean testOnReturn
Returns whether objects borrowed from the pool will be validated when they are returned to the pool via the returnObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. Returning objects that fail validation are destroyed rather then being returned the pool. -
testWhileIdle
boolean testWhileIdle
Returns whether objects sitting idle in the pool will be validated by the idle object evictor ( if any - see setTimeBetweenEvictionRunsMillis(long)). Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed.
-
-
Class org.apereo.cas.configuration.model.support.redis.RedisPrincipalAttributesProperties
class RedisPrincipalAttributesProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -2373755681488251678L
-
Serialized Fields
-
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies.
-
-
Class org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties
class RedisSentinelProperties extends Object implements Serializable- serialVersionUID:
- 5434823157764550831L
-
Class org.apereo.cas.configuration.model.support.redis.RedisServiceRegistryProperties
class RedisServiceRegistryProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -9012996050439638782L
-
Class org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties
class RedisTicketRegistryProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -2600996050439638782L
-
Serialized Fields
-
cache
SimpleCacheProperties cache
Control second-level cache settings that keeps ticket in memory. -
crypto
EncryptionRandomizedSigningJwtCryptographyProperties crypto
Crypto settings for the registry. -
enableRedisSearch
boolean enableRedisSearch
Allows the register to detect the presence of Redis modules, in particular RediSearch, which allows the registry to create specific indexes and search Redis documents to look up tickets. Enabling indexing and searching capabilities may lead to significant performance improvements. -
queueIdentifier
String queueIdentifier
Identifier for this CAS server node that tags the sender/receiver in the queue and avoid processing of inbound calls. If left blank, an identifier is generated automatically and kept in memory.
-
-
-
Package org.apereo.cas.configuration.model.support.replication
-
Class org.apereo.cas.configuration.model.support.replication.CookieSessionReplicationProperties
class CookieSessionReplicationProperties extends PinnableCookieProperties implements Serializable- serialVersionUID:
- 6165162204295764362L
-
Serialized Fields
-
autoConfigureCookiePath
boolean autoConfigureCookiePath
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that determine how the cookie should be signed and encrypted.
-
-
Class org.apereo.cas.configuration.model.support.replication.SessionReplicationProperties
class SessionReplicationProperties extends Object implements Serializable- serialVersionUID:
- -3839399712674610962L
-
Serialized Fields
-
cookie
CookieSessionReplicationProperties cookie
Cookie setting for session replication. -
replicateSessions
boolean replicateSessions
Indicates whether profiles and other session data, collected as part of authentication flows and protocol requests that are kept by the container session, should be replicated across the cluster using CAS and its own ticket registry. Without this option, profile data and other related pieces of information should be manually replicated via means and libraries outside of CAS.
-
-
-
Package org.apereo.cas.configuration.model.support.rest
-
Class org.apereo.cas.configuration.model.support.rest.RestAuthenticationProperties
class RestAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -6122859176355467060L
-
Serialized Fields
-
method
String method
HTTP method to use when contacting the REST API for authentication. -
name
String name
Name of the authentication handler. -
order
Integer order
Order of the authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for REST authentication. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated. -
uri
String uri
Endpoint URI to use for verification of credentials.
-
-
-
Package org.apereo.cas.configuration.model.support.saml
-
Class org.apereo.cas.configuration.model.support.saml.SamlCoreProperties
class SamlCoreProperties extends Object implements Serializable- serialVersionUID:
- -8505851926931247878L
-
Serialized Fields
-
attributeNamespace
String attributeNamespace
Attribute namespace to use when generating SAML1 responses. -
issueLength
String issueLength
Issue length that controls the validity period of the assertion. -
issuer
String issuer
Issuer of the assertion when generating SAML1 responses. -
securityManager
String securityManager
Qualified name of the security manager class used for creating a SAML parser pool. -
skewAllowance
String skewAllowance
Skew allowance that controls the issue instance of the authentication. -
ticketidSaml2
boolean ticketidSaml2
Whether ticket ids generated should be saml2 compliant when generating SAML1 responses.
-
-
-
Package org.apereo.cas.configuration.model.support.saml.idp
-
Class org.apereo.cas.configuration.model.support.saml.idp.AttributeQueryTicketProperties
class AttributeQueryTicketProperties extends Object implements Serializable- serialVersionUID:
- -1690545027059561010L
-
Serialized Fields
-
timeToKillInSeconds
long timeToKillInSeconds
Number of seconds after which this ticket becomes invalid.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPAlgorithmsProperties
class SamlIdPAlgorithmsProperties extends Object implements Serializable- serialVersionUID:
- 6547093517788229284L
-
Serialized Fields
-
overrideAllowedAlgorithms
List<String> overrideAllowedAlgorithms
The Override white listed algorithms. -
overrideAllowedSignatureSigningAlgorithms
List<String> overrideAllowedSignatureSigningAlgorithms
The Override allowed signature signing algorithms. -
overrideBlockedEncryptionAlgorithms
List<String> overrideBlockedEncryptionAlgorithms
The Override black listed encryption algorithms. -
overrideBlockedSignatureSigningAlgorithms
List<String> overrideBlockedSignatureSigningAlgorithms
The Override blocked signature signing algorithms. -
overrideDataEncryptionAlgorithms
List<String> overrideDataEncryptionAlgorithms
The Override data encryption algorithms. -
overrideKeyEncryptionAlgorithms
List<String> overrideKeyEncryptionAlgorithms
The Override key encryption algorithms. -
overrideSignatureAlgorithms
List<String> overrideSignatureAlgorithms
The Override signature algorithms. -
overrideSignatureCanonicalizationAlgorithm
String overrideSignatureCanonicalizationAlgorithm
The Override signature canonicalization algorithm. -
overrideSignatureReferenceDigestMethods
List<String> overrideSignatureReferenceDigestMethods
The Override signature reference digest methods. -
privateKeyAlgName
String privateKeyAlgName
Algorithm name to use when generating or locating private key for signing operations..
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPAuthenticationContextProperties
class SamlIdPAuthenticationContextProperties extends Object implements Serializable- serialVersionUID:
- -2848175783676789852L
-
Serialized Fields
-
authenticationContextClassMappings
List<String> authenticationContextClassMappings
A mapping of authentication context class refs. This is where specific authentication context classes are referenced and mapped to providers that CAS may support mainly for, i.e. MFA purposes.Example might be
urn:oasis:names:tc:SAML:2.0:ac:classes:SomeClassName->mfa-duo
.In delegated authentication scenarios, this can also be a mapping of authentication context class refs, when CAS is proxying/delegating authentication to an external SAML2 identity provider. The requested authentication context as submitted by the service provider is first received by CAS, and then gets mapped to a context class that is passed onto the external identity provider. For example, you might have a scenario where a SAML2 service provider would submit
https://refeds.org/profile/mfa
to CAS, and CAS would translate that tohttp://schemas.microsoft.com/claims/multipleauthn
to ultimate route the authentication request to Azure. If no mapping is found, the original context is passed as is.Example might be
https://refeds.org/profile/mfa->http://schemas.microsoft.com/claims/multipleauthn
. -
defaultAuthenticationContextClass
String defaultAuthenticationContextClass
The default authentication context class to include in the response if none is specified via the service.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPCoreProperties
class SamlIdPCoreProperties extends Object implements Serializable- serialVersionUID:
- -1848175783676789852L
-
Serialized Fields
-
attributeFriendlyNames
List<String> attributeFriendlyNames
A mapping of attribute names to their friendly names, defined globally. Example might beurn:oid:1.3.6.1.4.1.5923.1.1.1.6->eduPersonPrincipalName
. -
attributeQueryProfileEnabled
boolean attributeQueryProfileEnabled
Indicates whether attribute query profile is enabled. Enabling this setting would allow CAS to record SAML responses and have them be made available later for attribute lookups. -
context
SamlIdPAuthenticationContextProperties context
Authentication context class settings. -
entityId
String entityId
The SAML entity id for the deployment. -
sessionReplication
SessionReplicationProperties sessionReplication
Control settings for session replication. -
sessionStorageType
SessionStorageTypes sessionStorageType
Indicates whether saml requests, and other session data, collected as part of SAML flows and requests that are kept by the container http session, local storage, or should be replicated across the cluster.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPDiscoveryProperties
class SamlIdPDiscoveryProperties extends Object implements Serializable- serialVersionUID:
- 3547093517788229284L
-
Serialized Fields
-
resource
List<SpringResourceProperties> resource
Locate discovery feed json file.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPLogoutProperties
class SamlIdPLogoutProperties extends Object implements Serializable- serialVersionUID:
- -4608824149569614549L
-
Serialized Fields
-
forceSignedLogoutRequests
boolean forceSignedLogoutRequests
Whether SLO logout requests are required to be signed. -
logoutRequestBindings
List<String> logoutRequestBindings
The order in which the logout request binginds should be tried (if available at the SP level). -
logoutResponseBinding
String logoutResponseBinding
Whether SLO logout responses should be sent using a forced binding. Accepted values are:urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
-
sendLogoutResponse
boolean sendLogoutResponse
Whether SLO logout responses should be sent to service providers. -
signLogoutResponse
boolean signLogoutResponse
Whether SLO logout responses are required to be signed. -
singleLogoutCallbacksDisabled
boolean singleLogoutCallbacksDisabled
Whether SAML SLO is enabled and processed.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties
class SamlIdPProperties extends Object implements Serializable- serialVersionUID:
- -5848075783676789852L
-
Serialized Fields
-
algs
SamlIdPAlgorithmsProperties algs
Settings related to algorithms used for signing, etc. -
core
SamlIdPCoreProperties core
Core SAML2 settings that control key aspects of the saml2 authentication scenario. -
logout
SamlIdPLogoutProperties logout
SAML2 logout related settings. -
metadata
SamlIdPMetadataProperties metadata
SAML2 metadata related settings. -
profile
SamlIdPProfileProperties profile
Settings related to handling saml2 profiles. -
response
SamlIdPResponseProperties response
Settings related to SAML2 responses. -
services
SamlIdPServicesProperties services
Settings related to handling saml2 registered service definitions. -
ticket
SamlIdPTicketProperties ticket
Settings related to naming saml cache storage.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPResponseProperties
class SamlIdPResponseProperties extends Object implements Serializable- serialVersionUID:
- 7200477683583467619L
-
Serialized Fields
-
attributeNameFormats
List<String> attributeNameFormats
Each individual attribute can be mapped to a particular name-format. Example:attributeName->basic|uri|unspecified|custom-format-etc,...
. -
credentialType
SamlIdPResponseProperties.SignatureCredentialTypes credentialType
Indicate the encoding type of the credential used when rendering the saml response. -
defaultAttributeNameFormat
String defaultAttributeNameFormat
Indicates the default name-format for all attributes in case the individual attribute is not individually mapped. -
signError
boolean signError
Whether error responses should be signed. -
skewAllowance
String skewAllowance
Time unit in seconds used to skew authentication dates such as valid-from and valid-until elements.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPServicesProperties
class SamlIdPServicesProperties extends Object implements Serializable- serialVersionUID:
- 7211477683583467619L
-
Serialized Fields
-
defaults
Map<String,
String> defaults Control the default, initial values for fields that are part of a SAML service definition. This is defined as a map where the key is the field name (i.e.signAssertions
) and the value should be the default value. If a service definition explicitly defines a value for a field, that value will take over and the default defined here will be ignored. If a service definition does not define a value for a field and no defaults are specified for that field, then the default value that is directly assigned to the field in the body of the service definition will take over.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.SamlIdPTicketProperties
class SamlIdPTicketProperties extends Object implements Serializable- serialVersionUID:
- 6837089259390742073L
-
Serialized Fields
-
attributeQuery
AttributeQueryTicketProperties attributeQuery
Attribute query ticket properties. -
samlArtifactsCacheStorageName
String samlArtifactsCacheStorageName
name that should be given to the saml artifact cache storage name. -
samlAttributeQueryCacheStorageName
String samlAttributeQueryCacheStorageName
The name that should be given to the saml attribute query cache storage name.
-
-
-
Package org.apereo.cas.configuration.model.support.saml.idp.metadata
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.AmazonS3SamlMetadataProperties
class AmazonS3SamlMetadataProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- 352435146313504995L
-
Serialized Fields
-
bucketName
String bucketName
S3 bucket that contains metadata files. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the metadata records. -
idpMetadataBucketName
String idpMetadataBucketName
The collection name that is responsible to hold the identity provider metadata.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties
class CoreSamlMetadataProperties extends Object implements Serializable- serialVersionUID:
- -8116473583467202828L
-
Serialized Fields
-
cacheExpiration
String cacheExpiration
How long should metadata be cached. -
cacheMaximumSize
long cacheMaximumSize
Specifies the maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn't been used recently or very often. -
certificateAlgorithm
String certificateAlgorithm
The algorithm type/name that is used when generating certificates for the SAML2 identity provider. This setting is only relevant when artifacts needs to be generated. -
failFast
boolean failFast
Whether invalid metadata should eagerly fail quickly on startup once the resource is parsed. -
keySize
int keySize
This is the key size that is used when generating the initial keypair that would hold the private/public key for the SAML2 metadata. This setting is only relevant when artifacts needs to be generated. -
requireValidMetadata
boolean requireValidMetadata
Whether valid metadata is required. -
sloServicePostBindingEnabled
boolean sloServicePostBindingEnabled
Whether metadata generation process should support SLO service POST binding. -
sloServiceRedirectBindingEnabled
boolean sloServiceRedirectBindingEnabled
Whether metadata generation process should support SLO service REDIRECT binding. -
ssoServicePostBindingEnabled
boolean ssoServicePostBindingEnabled
Whether metadata generation process should support SSO service POST binding. -
ssoServicePostSimpleSignBindingEnabled
boolean ssoServicePostSimpleSignBindingEnabled
Whether metadata generation process should support SSO service POST SimpleSign binding. -
ssoServiceRedirectBindingEnabled
boolean ssoServiceRedirectBindingEnabled
Whether metadata generation process should support SSO service REDIRECT binding. -
ssoServiceSoapBindingEnabled
boolean ssoServiceSoapBindingEnabled
Whether metadata generation process should support SSO service SOAP binding.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.FileSystemSamlMetadataProperties
class FileSystemSamlMetadataProperties extends Object implements Serializable- serialVersionUID:
- -8336473583467202828L
-
Serialized Fields
-
location
String location
Directory location of SAML metadata and signing/encryption keys. This directory will be used to hold the configuration files. -
signMetadata
boolean signMetadata
Whether metadata generated on disk should be digitally signed. Signing operations use the saml2 identity provider's signing certificate and signing key.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.GitSamlMetadataProperties
class GitSamlMetadataProperties extends BaseGitProperties implements Serializable- serialVersionUID:
- 4194689836396653458L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the metadata records. -
idpMetadataEnabled
boolean idpMetadataEnabled
Whether identity provider metadata artifacts are expected to be found in the database. -
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often the git repository is instructed to pull.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.HttpSamlMetadataProperties
class HttpSamlMetadataProperties extends Object implements Serializable- serialVersionUID:
- -8226473583467202828L
-
Serialized Fields
-
forceMetadataRefresh
boolean forceMetadataRefresh
Forcefully download and fetch metadata files form URL sources and disregard any cached copies of the metadata. -
metadataBackupLocation
String metadataBackupLocation
Directory location where downloaded SAML metadata is cached as backup files. If left undefined, the directory is calculated off of the metadata location on disk when specified. The directory location should also support and be resolvable via Spring expression language.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.JpaSamlMetadataProperties
class JpaSamlMetadataProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 352435146313504995L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the metadata records. -
idpMetadataEnabled
boolean idpMetadataEnabled
Whether identity provider metadata artifacts are expected to be found in the database.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.MDQSamlMetadataProperties
class MDQSamlMetadataProperties extends Object implements Serializable- serialVersionUID:
- -1311568960413770598L
-
Serialized Fields
-
basicAuthnPassword
String basicAuthnPassword
Basic auth password in case the metadata instance is connecting to an MDQ server. -
basicAuthnUsername
String basicAuthnUsername
Basic auth username in case the metadata instance is connecting to an MDQ server. -
supportedContentType
String supportedContentType
Supported content types in case the metadata instance is connecting to an MDQ server.MediaType.TEXT_XML_VALUE
is supported by default.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.MongoDbSamlMetadataProperties
class MongoDbSamlMetadataProperties extends SingleCollectionMongoDbProperties implements Serializable- serialVersionUID:
- -227092724742371662L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the metadata records. -
idpMetadataCollection
String idpMetadataCollection
The collection name that is responsible to hold the identity provider metadata.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.RedisSamlMetadataProperties
class RedisSamlMetadataProperties extends BaseRedisProperties implements Serializable- serialVersionUID:
- -227092724742371662L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the metadata records. -
idpMetadataEnabled
boolean idpMetadataEnabled
Whether identity provider metadata artifacts are expected to be found in the database.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.RestSamlMetadataProperties
class RestSamlMetadataProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -7734304585762871404L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that sign/encrypt the metadata records. -
idpMetadataEnabled
boolean idpMetadataEnabled
Whether identity provider metadata artifacts are expected to be found in the database.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.metadata.SamlIdPMetadataProperties
class SamlIdPMetadataProperties extends Object implements Serializable- serialVersionUID:
- -1020542741768471305L
-
Serialized Fields
-
amazonS3
AmazonS3SamlMetadataProperties amazonS3
Properties pertaining to AWS S3 metadata resolution. -
core
CoreSamlMetadataProperties core
Core and common settings related to saml2 metadata management. -
fileSystem
FileSystemSamlMetadataProperties fileSystem
Settings related to saml2 metadata management, when fetching or handling metadata using the file system. -
git
GitSamlMetadataProperties git
Properties pertaining to git saml metadata resolvers. -
http
HttpSamlMetadataProperties http
Settings related to saml2 metadata management, when fetching or handling metadata over http endpoints from URL resources. -
jpa
JpaSamlMetadataProperties jpa
Properties pertaining to jpa metadata resolution. -
mdq
MDQSamlMetadataProperties mdq
Metadata management settings via MDQ protocol. -
mongo
MongoDbSamlMetadataProperties mongo
Properties pertaining to mongo db saml metadata resolvers. -
redis
RedisSamlMetadataProperties redis
Properties pertaining to redis saml metadata resolvers. -
rest
RestSamlMetadataProperties rest
Properties pertaining to REST metadata resolution.
-
-
-
Package org.apereo.cas.configuration.model.support.saml.idp.profile
-
Class org.apereo.cas.configuration.model.support.saml.idp.profile.SamlIdPBaseProfileProperties
class SamlIdPBaseProfileProperties extends Object implements Serializable- serialVersionUID:
- -8100516679034234656L
-
Serialized Fields
-
urlDecodeRedirectRequest
boolean urlDecodeRedirectRequest
Whether the initial request should be explicitly url-decoded before it's consumed by the decoder.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.profile.SamlIdPProfileProperties
class SamlIdPProfileProperties extends Object implements Serializable- serialVersionUID:
- -3218075783676789852L
-
Serialized Fields
-
slo
SamlIdPSLOProfileProperties slo
Settings related to the saml2 slo redirect profile. -
sso
SamlIdPSSOProfileProperties sso
Settings related to the saml2 sso profile. -
ssoPostSimpleSign
SamlIdPSSOSimpleSignProfileProperties ssoPostSimpleSign
Settings related to the saml2 sso post simple-sign profile.
-
-
Class org.apereo.cas.configuration.model.support.saml.idp.profile.SamlIdPSLOProfileProperties
class SamlIdPSLOProfileProperties extends SamlIdPBaseProfileProperties implements Serializable- serialVersionUID:
- -8100516679034234656L
-
Class org.apereo.cas.configuration.model.support.saml.idp.profile.SamlIdPSSOProfileProperties
class SamlIdPSSOProfileProperties extends SamlIdPBaseProfileProperties implements Serializable- serialVersionUID:
- -8100516679034234656L
-
Class org.apereo.cas.configuration.model.support.saml.idp.profile.SamlIdPSSOSimpleSignProfileProperties
class SamlIdPSSOSimpleSignProfileProperties extends SamlIdPBaseProfileProperties implements Serializable- serialVersionUID:
- -8100516679034234656L
-
-
Package org.apereo.cas.configuration.model.support.saml.mdui
-
Class org.apereo.cas.configuration.model.support.saml.mdui.SamlMetadataUIProperties
class SamlMetadataUIProperties extends Object implements Serializable- serialVersionUID:
- 2113479681245996975L
-
Serialized Fields
-
maxValidity
long maxValidity
If specified, creates a validity filter on the metadata to check for metadata freshness based on the max validity. Value is specified in seconds. -
parameter
String parameter
The parameter name that indicates the entity id of the service provider submitted to CAS. -
requireSignedRoot
boolean requireSignedRoot
When parsing metadata, whether the root element is required to be signed. -
requireValidMetadata
boolean requireValidMetadata
Whether valid metadata is required when parsing metadata. -
resources
List<String> resources
Metadata resources to load and parse through based on the incoming entity id in order to locate MDUI. Resources can be classpath/file/http resources. If each metadata resource has a signing certificate, they can be added onto the resource with a::
separator. Example:classpath:/sp-metadata.xml::classpath:/pub.key
. -
schedule
SchedulingProperties schedule
Scheduler settings to indicate how often is metadata reloaded.
-
-
-
Package org.apereo.cas.configuration.model.support.saml.shibboleth
-
Class org.apereo.cas.configuration.model.support.saml.shibboleth.ShibbolethIdPProperties
class ShibbolethIdPProperties extends Object implements Serializable- serialVersionUID:
- 1741075420882227768L
-
Serialized Fields
-
serverUrl
String serverUrl
The server url of the shibboleth idp deployment.
-
-
-
Package org.apereo.cas.configuration.model.support.saml.sps
-
Class org.apereo.cas.configuration.model.support.saml.sps.AbstractSamlSPProperties
class AbstractSamlSPProperties extends Object implements Serializable- serialVersionUID:
- -5381463661659831898L
-
Serialized Fields
-
attributes
List<String> attributes
Set up the attribute release policy for this service. Allow attributes that are to be released to this SP. Attributes should be separated by commas and can be virtually mapped and renamed. -
description
String description
Description of this service provider as it's stored in the registry. -
entityIds
List<String> entityIds
List of entityIds allowed for this service provider. Multiple ids can be specified in the event that the metadata is an aggregate. -
metadata
String metadata
The location of the metadata for this service provider. Can be a URL or another form of resource. -
name
String name
Name of this service provider. -
nameIdAttribute
String nameIdAttribute
Attribute to use when generating nameids for this SP. -
nameIdFormat
String nameIdFormat
The forced nameId format to use when generating a response. -
signAssertions
TriStateBoolean signAssertions
Indicate whether assertions should be signed. -
signatureLocation
String signatureLocation
Signature location used to verify metadata. -
signResponses
boolean signResponses
Indicate whether responses should be signed.
-
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties
class SamlServiceProviderProperties extends Object implements Serializable- serialVersionUID:
- 8602328179113963081L
-
Serialized Fields
-
academicHealthPlans
SamlServiceProviderProperties.AcademicHealthPlans academicHealthPlans
Settings related to Academic HealthPlans acting as a SAML service provider. -
adobeCloud
SamlServiceProviderProperties.AdobeCloud adobeCloud
Settings related to Adobe Cloud acting as a SAML service provider. -
amazon
SamlServiceProviderProperties.Amazon amazon
Settings related to Amazon acting as a SAML service provider. -
appDynamics
SamlServiceProviderProperties.AppDynamics appDynamics
Settings related to AppDynamics acting as a SAML service provider. -
arcGIS
SamlServiceProviderProperties.ArcGIS arcGIS
Settings related to ArcGIS acting as a SAML service provider. -
armsSoftware
SamlServiceProviderProperties.ArmsSoftware armsSoftware
Settings related to ArmsSoftware acting as a SAML service provider. -
asana
SamlServiceProviderProperties.Asana asana
Settings related to Asana acting as a SAML service provider. -
benefitFocus
SamlServiceProviderProperties.BenefitFocus benefitFocus
Settings related to BenefitFocus acting as a SAML service provider. -
blackBaud
SamlServiceProviderProperties.BlackBaud blackBaud
Settings related to BlackBaud acting as a SAML service provider. -
box
SamlServiceProviderProperties.Box box
Settings related to Box acting as a SAML service provider. -
bynder
SamlServiceProviderProperties.Bynder bynder
Settings related to Bynder acting as a SAML service provider. -
cccco
SamlServiceProviderProperties.CaliforniaCommunityColleges cccco
Settings related to CCC acting as a SAML service provider. -
cherWell
SamlServiceProviderProperties.CherWell cherWell
Settings related to CherWell acting as a SAML service provider. -
concurSolutions
SamlServiceProviderProperties.ConcurSolutions concurSolutions
Settings related to ConcurSolutions acting as a SAML service provider. -
confluence
SamlServiceProviderProperties.Confluence confluence
Settings related to Confluence acting as a SAML service provider. -
craniumCafe
SamlServiceProviderProperties.CraniumCafe craniumCafe
Settings related to Cranium Cafe acting as a SAML service provider. -
crashPlan
SamlServiceProviderProperties.CrashPlan crashPlan
Settings related to CrashPlan acting as a SAML service provider. -
docuSign
SamlServiceProviderProperties.DocuSign docuSign
Settings related to DocuSign acting as a SAML service provider. -
dropbox
SamlServiceProviderProperties.Dropbox dropbox
Settings related to Dropbox acting as a SAML service provider. -
easyIep
SamlServiceProviderProperties.EasyIep easyIep
Settings related to Easy IEP acting as a SAML service provider. -
egnyte
SamlServiceProviderProperties.Egnyte egnyte
Settings related to CherWell acting as a SAML service provider. -
emma
SamlServiceProviderProperties.Emma emma
Settings related to Emma acting as a SAML service provider. -
everBridge
SamlServiceProviderProperties.EverBridge everBridge
Settings related to EverBridge acting as a SAML service provider. -
evernote
SamlServiceProviderProperties.Evernote evernote
Settings related to Evernote acting as a SAML service provider. -
famis
SamlServiceProviderProperties.Famis famis
Settings related to Famis acting as a SAML service provider. -
gartner
SamlServiceProviderProperties.Gartner gartner
Settings related to Gartner acting as a SAML service provider. -
gitlab
SamlServiceProviderProperties.Gitlab gitlab
Settings related to Gitlab acting as a SAML service provider. -
giveCampus
SamlServiceProviderProperties.GiveCampus giveCampus
Settings related to GiveCampus acting as a SAML service provider. -
inCommon
SamlServiceProviderProperties.InCommon inCommon
Settings related to InCommon acting as a SAML service provider. -
infiniteCampus
SamlServiceProviderProperties.InfiniteCampus infiniteCampus
Settings related to InfiniteCampus acting as a SAML service provider. -
jira
SamlServiceProviderProperties.Jira jira
Settings related to JIRA acting as a SAML service provider. -
neoGov
SamlServiceProviderProperties.NeoGov neoGov
Settings related to NeoGov acting as a SAML service provider. -
netPartner
SamlServiceProviderProperties.NetPartner netPartner
Settings related to NetPartner acting as a SAML service provider. -
newRelic
SamlServiceProviderProperties.NewRelic newRelic
Settings related to CherWell acting as a SAML service provider. -
office365
SamlServiceProviderProperties.Office365 office365
Settings related to Office365 acting as a SAML service provider. -
openAthens
SamlServiceProviderProperties.OpenAthens openAthens
Settings related to OpenAthens acting as a SAML service provider. -
pagerDuty
SamlServiceProviderProperties.PagerDuty pagerDuty
Settings related to PagerDuty acting as a SAML service provider. -
pollEverywhere
SamlServiceProviderProperties.PollEverywhere pollEverywhere
Settings related to PollEverywhere acting as a SAML service provider. -
qualtrics
SamlServiceProviderProperties.Qualtrics qualtrics
Settings related to Qualtrics acting as a SAML service provider. -
rocketChat
SamlServiceProviderProperties.RocketChat rocketChat
Settings related to RocketChat acting as a SAML service provider. -
safariOnline
SamlServiceProviderProperties.SafariOnline safariOnline
Settings related to SafariOnline acting as a SAML service provider. -
salesforce
SamlServiceProviderProperties.Salesforce salesforce
Settings related to Salesforce acting as a SAML service provider. -
saManage
SamlServiceProviderProperties.SAManage saManage
Settings related to SA Manage acting as a SAML service provider. -
sansSth
SamlServiceProviderProperties.SecuringTheHuman sansSth
Settings related to SecuringTheHuman acting as a SAML service provider. -
serviceNow
SamlServiceProviderProperties.ServiceNow serviceNow
Settings related to ServiceNow acting as a SAML service provider. -
slack
SamlServiceProviderProperties.Slack slack
Settings related to Slack acting as a SAML service provider. -
sserca
SamlServiceProviderProperties.SunshineStateEdResearchAlliance sserca
Settings related to Sunshine state ed/release alliance acting as a SAML service provider. -
symplicity
SamlServiceProviderProperties.Symplicity symplicity
Settings related to Symplicity acting as a SAML service provider. -
tableau
SamlServiceProviderProperties.Tableau tableau
Settings related to Tableu acting as a SAML service provider. -
topHat
SamlServiceProviderProperties.TopHat topHat
Settings related to TopHat acting as a SAML service provider. -
warpWire
SamlServiceProviderProperties.WarpWire warpWire
Settings related to WarpWire acting as a SAML service provider. -
webAdvisor
SamlServiceProviderProperties.WebAdvisor webAdvisor
Settings related to WebAdvisor acting as a SAML service provider. -
webex
SamlServiceProviderProperties.Webex webex
Settings related to Webex acting as a SAML service provider. -
workday
SamlServiceProviderProperties.Workday workday
Settings related to Workday acting as a SAML service provider. -
yuja
SamlServiceProviderProperties.Yuja yuja
Settings related to Yuja acting as a SAML service provider. -
zendesk
SamlServiceProviderProperties.Zendesk zendesk
Settings related to Zendesk acting as a SAML service provider. -
zimbra
SamlServiceProviderProperties.Zimbra zimbra
Settings related to Zimbra acting as a SAML service provider. -
zoom
SamlServiceProviderProperties.Zoom zoom
Settings related to ZOOM acting as a SAML service provider.
-
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.AcademicHealthPlans
class AcademicHealthPlans extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.AdobeCloud
class AdobeCloud extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -5466434234795577247L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Amazon
class Amazon extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.AppDynamics
class AppDynamics extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.ArcGIS
class ArcGIS extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 2976006720801066953L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.ArmsSoftware
class ArmsSoftware extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Asana
class Asana extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 6392492484052314295L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.BenefitFocus
class BenefitFocus extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6518570556068267724L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.BlackBaud
class BlackBaud extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Box
class Box extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -5320292115253509284L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Bynder
class Bynder extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -3168960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.CaliforniaCommunityColleges
class CaliforniaCommunityColleges extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.CherWell
class CherWell extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -3168960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.ConcurSolutions
class ConcurSolutions extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Confluence
class Confluence extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.CraniumCafe
class CraniumCafe extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.CrashPlan
class CrashPlan extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.DocuSign
class DocuSign extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Dropbox
class Dropbox extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -8275173711355379058L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.EasyIep
class EasyIep extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 6177866628049579956L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Egnyte
class Egnyte extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -3168760591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Emma
class Emma extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.EverBridge
class EverBridge extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -5168960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Evernote
class Evernote extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -1333379518527897627L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Famis
class Famis extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 4685484530782109454L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Gartner
class Gartner extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Gitlab
class Gitlab extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.GiveCampus
class GiveCampus extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.InCommon
class InCommon extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6336757169059216490L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.InfiniteCampus
class InfiniteCampus extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -9023417844664430533L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Jira
class Jira extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.NeoGov
class NeoGov extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.NetPartner
class NetPartner extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 5262806306575955633L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.NewRelic
class NewRelic extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -3268960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Office365
class Office365 extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 5878458463269060163L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.OpenAthens
class OpenAthens extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 7295249577313928465L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.PagerDuty
class PagerDuty extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.PollEverywhere
class PollEverywhere extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Qualtrics
class Qualtrics extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.RocketChat
class RocketChat extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.SafariOnline
class SafariOnline extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Salesforce
class Salesforce extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 4685484530782109454L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.SAManage
class SAManage extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -8695176237527302883L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.SecuringTheHuman
class SecuringTheHuman extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -1688194227471468248L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.ServiceNow
class ServiceNow extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 4329681021653966734L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Slack
class Slack extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -1996859011579246804L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.SunshineStateEdResearchAlliance
class SunshineStateEdResearchAlliance extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -5558960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Symplicity
class Symplicity extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -3178960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Tableau
class Tableau extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -2426590644028989950L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.TopHat
class TopHat extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.WarpWire
class WarpWire extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.WebAdvisor
class WebAdvisor extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 8449304623099588610L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Webex
class Webex extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 1957066095836617091L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Workday
class Workday extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- 3484810792914261584L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Yuja
class Yuja extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -1168960591734555088L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Zendesk
class Zendesk extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -4668960591734555087L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Zimbra
class Zimbra extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -6141931806328699054L
-
Class org.apereo.cas.configuration.model.support.saml.sps.SamlServiceProviderProperties.Zoom
class Zoom extends AbstractSamlSPProperties implements Serializable- serialVersionUID:
- -4877129302021248398L
-
-
Package org.apereo.cas.configuration.model.support.scim
-
Class org.apereo.cas.configuration.model.support.scim.ScimProperties
class ScimProperties extends Object implements Serializable- serialVersionUID:
- 7943229230342691009L
-
Serialized Fields
-
enabled
boolean enabled
Decide whether scim should be enabled. -
oauthToken
String oauthToken
Authenticate into the SCIM server/service via a pre-generated OAuth token. -
password
String password
Authenticate into the SCIM server with a pre-defined password. -
target
String target
The SCIM provisioning target URI. -
username
String username
Authenticate into the SCIM server with a pre-defined username.
-
-
-
Package org.apereo.cas.configuration.model.support.services.json
-
Class org.apereo.cas.configuration.model.support.services.json.JsonServiceRegistryProperties
class JsonServiceRegistryProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- -3022199446494732533L
-
Serialized Fields
-
watcherEnabled
boolean watcherEnabled
Flag indicating whether a background watcher thread is enabled for the purposes of live reloading of service registry data changes from persistent data store.
-
-
-
Package org.apereo.cas.configuration.model.support.services.stream
-
Class org.apereo.cas.configuration.model.support.services.stream.BaseStreamServicesProperties
class BaseStreamServicesProperties extends Object implements Serializable- serialVersionUID:
- 7025417314334269017L
-
Class org.apereo.cas.configuration.model.support.services.stream.StreamingServiceRegistryProperties
class StreamingServiceRegistryProperties extends Object implements Serializable- serialVersionUID:
- 4957127900906059461L
-
Serialized Fields
-
core
StreamingServicesCoreProperties core
Core stream/replication settings for services. -
hazelcast
StreamServicesHazelcastProperties hazelcast
Stream services with hazelcast. -
kafka
StreamServicesKafkaProperties kafka
Stream services with Kafka.
-
-
Class org.apereo.cas.configuration.model.support.services.stream.StreamingServicesCoreProperties
class StreamingServicesCoreProperties extends Object implements Serializable- serialVersionUID:
- 2957227900906059461L
-
Serialized Fields
-
enabled
boolean enabled
Whether service registry events should be streamed and published across a CAS cluster. One typical workflow is to enable the publisher on one master node and have others consume definitions and changes from the upstream master node in order to avoid overrides and timing issues as changes may step over each other if the service registry schedule is not timed correctly. -
replicationMode
StreamingServicesCoreProperties.ReplicationModes replicationMode
Indicates the replication mod.
-
-
-
Package org.apereo.cas.configuration.model.support.services.stream.hazelcast
-
Class org.apereo.cas.configuration.model.support.services.stream.hazelcast.StreamServicesHazelcastProperties
class StreamServicesHazelcastProperties extends BaseStreamServicesProperties implements Serializable- serialVersionUID:
- -1583614089051161614L
-
Serialized Fields
-
config
BaseHazelcastProperties config
Configuration of the hazelcast instance to queue and stream items. -
duration
String duration
Duration that indicates how long should items be kept in the hazelcast cache. Note that generally this number needs to be short as once an item is delivered to a target, it is explicitly removed from the cache/queue. This duration needs to be adjusted if the latency between the CAS nodes in the cluster is too large. Having too short a value will cause the record to expire before it reaches other members of the cluster.
-
-
Class org.apereo.cas.configuration.model.support.services.stream.hazelcast.StreamServicesKafkaProperties
class StreamServicesKafkaProperties extends BaseKafkaProperties implements Serializable- serialVersionUID:
- -7126701588226903867L
-
Serialized Fields
-
topic
KafkaSingleTopicProperties topic
Describe the kafka topic.
-
-
-
Package org.apereo.cas.configuration.model.support.services.yaml
-
Class org.apereo.cas.configuration.model.support.services.yaml.YamlServiceRegistryProperties
class YamlServiceRegistryProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 4863603996990314548L
-
Serialized Fields
-
watcherEnabled
boolean watcherEnabled
Flag indicating whether a background watcher thread is enabled for the purposes of live reloading of service registry data changes from persistent data store.
-
-
-
Package org.apereo.cas.configuration.model.support.slack
-
Class org.apereo.cas.configuration.model.support.slack.SlackMessagingProperties
class SlackMessagingProperties extends Object implements Serializable- serialVersionUID:
- -1679682641899738092L
-
Serialized Fields
-
apiToken
String apiToken
To call a Slack Web API method to post messages, CAS needs to be initialized with a Slack API token. A token usually begins withxoxb-
(bot token) orxoxp-
(user token). You get them from each workspace that an app has been installed. -
usernameAttribute
String usernameAttribute
The name of the user attribute that would then be used as the slack username. If the attribute is left blank, the default principal identifier is used. Note that in either case the final value is prefixed with@
, but only if the prefix does not already exist. Multivalued attributes are supported.
-
-
-
Package org.apereo.cas.configuration.model.support.sms
-
Class org.apereo.cas.configuration.model.support.sms.AmazonSnsProperties
class AmazonSnsProperties extends BaseAmazonWebServicesProperties implements Serializable- serialVersionUID:
- -3366665169030844517L
-
Serialized Fields
-
maxPrice
String maxPrice
The maximum amount in USD that you are willing to spend to send the SMS message.Amazon SNS will not send the message if it determines that doing so would incur a cost that exceeds the maximum price. This attribute has no effect if your month-to-date SMS costs have already exceeded the limit set for the MonthlySpendLimit attribute, which you set by using the SetSMSAttributes request. If you are sending the message to an Amazon SNS topic, the maximum price applies to each message delivery to each phone number that is subscribed to the topic.
-
senderId
String senderId
A custom ID that contains up to 11 alphanumeric characters, including at least one letter and no spaces.The sender ID is displayed as the message sender on the receiving device. For example, you can use your business brand to make the message source easier to recognize. Support for sender IDs varies by country and/or region. For example, messages delivered to U.S. phone numbers will not display the sender ID. If you do not specify a sender ID, the message will display a long code as the sender ID in supported countries and regions. For countries or regions that require an alphabetic sender ID, the message displays NOTICE as the sender ID.
-
smsType
String smsType
The type of message that you are sending.- Promotional - Noncritical messages, such as marketing messages. Amazon SNS optimizes the message delivery to incur the lowest cost.
- Transactional – Critical messages that support customer transactions, such as one-time passcodes for multi-factor authentication. Amazon SNS optimizes the message delivery to achieve the highest reliability.
-
-
Class org.apereo.cas.configuration.model.support.sms.ClickatellProperties
class ClickatellProperties extends Object implements Serializable- serialVersionUID:
- -2147844690349952176L
-
Class org.apereo.cas.configuration.model.support.sms.GroovySmsProperties
class GroovySmsProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.support.sms.NexmoProperties
class NexmoProperties extends Object implements Serializable- serialVersionUID:
- 7546596773588579321L
-
Class org.apereo.cas.configuration.model.support.sms.RestfulSmsProperties
class RestfulSmsProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- -8102345678378393382L
-
Serialized Fields
-
style
RestfulSmsProperties.RestfulSmsRequestStyles style
Indicate the style and formatting of the SMS request paramerters and how they should be included and sent via REST.
-
-
Class org.apereo.cas.configuration.model.support.sms.SmsModeProperties
class SmsModeProperties extends Object implements Serializable- serialVersionUID:
- -4185702036613030013L
-
Class org.apereo.cas.configuration.model.support.sms.SmsProperties
class SmsProperties extends Object implements Serializable- serialVersionUID:
- -3713886839517507306L
-
Serialized Fields
-
Class org.apereo.cas.configuration.model.support.sms.SmsProvidersProperties
class SmsProvidersProperties extends Object implements Serializable- serialVersionUID:
- -3713886839517507306L
-
Serialized Fields
-
clickatell
ClickatellProperties clickatell
Clickatell settings. -
groovy
GroovySmsProperties groovy
Groovy script for sending sms notifications. -
nexmo
NexmoProperties nexmo
Nexmo settings. -
rest
RestfulSmsProperties rest
Send SMS via via REST. -
smsMode
SmsModeProperties smsMode
SmsMode settings. -
sns
AmazonSnsProperties sns
SNS settings. -
textMagic
TextMagicProperties textMagic
TextMagic settings. -
twilio
TwilioProperties twilio
Twilio settings.
-
-
Class org.apereo.cas.configuration.model.support.sms.TextMagicProperties
class TextMagicProperties extends Object implements Serializable- serialVersionUID:
- 5645993472155203013L
-
Serialized Fields
-
apiKey
String apiKey
set API key value for the first API key authentication. -
apiKeyPrefix
String apiKeyPrefix
set API key prefix for the first API key authentication. -
connectTimeout
int connectTimeout
connect timeout (in milliseconds). -
debugging
boolean debugging
Check that whether debugging is enabled for this API client. -
password
String password
set password for the first HTTP basic authentication. -
readTimeout
int readTimeout
read timeout (in milliseconds). -
token
String token
Secure token used to establish a handshake. -
userAgent
String userAgent
Set the User-Agent header's value (by adding to the default header map). -
username
String username
Username authorized to use the service as the bind account. -
verifyingSsl
boolean verifyingSsl
Should SSL connections be verified? -
writeTimeout
int writeTimeout
write timeout (in milliseconds).
-
-
Class org.apereo.cas.configuration.model.support.sms.TwilioProperties
class TwilioProperties extends Object implements Serializable- serialVersionUID:
- -7043132225482495229L
-
Serialized Fields
-
accountId
String accountId
Twilio account identifier used for authentication. -
enabled
boolean enabled
Whether the module is enabled or not, defaults to true. -
phoneCallsEnabled
boolean phoneCallsEnabled
Controls whether Twilio support should also handle making phone calls. -
token
String token
Twilio secret token used for authentication.
-
-
-
Package org.apereo.cas.configuration.model.support.soap
-
Class org.apereo.cas.configuration.model.support.soap.SoapAuthenticationProperties
class SoapAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 7297575260958941037L
-
Serialized Fields
-
name
String name
The name of the authentication handler. -
order
int order
The order of this authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoding properties. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
url
String url
URL of the SOAP endpoint.
-
-
-
Package org.apereo.cas.configuration.model.support.spnego
-
Class org.apereo.cas.configuration.model.support.spnego.SpnegoAuthenticationProperties
class SpnegoAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 4513529663377430783L
-
Serialized Fields
-
cachePolicy
long cachePolicy
Jcifs Netbios cache policy. -
jcifsDomain
String jcifsDomain
The Jcifs domain. -
jcifsDomainController
String jcifsDomainController
The Jcifs domain controller. -
jcifsNetbiosWins
String jcifsNetbiosWins
The Jcifs netbios wins. -
jcifsPassword
String jcifsPassword
The Jcifs password. -
jcifsServicePassword
String jcifsServicePassword
The Jcifs service password. -
jcifsServicePrincipal
String jcifsServicePrincipal
The Jcifs service principal. -
jcifsUsername
String jcifsUsername
The Jcifs username. -
timeout
String timeout
Spnego JCIFS timeout.
-
-
Class org.apereo.cas.configuration.model.support.spnego.SpnegoLdapProperties
class SpnegoLdapProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -8835216200501334936L
-
Class org.apereo.cas.configuration.model.support.spnego.SpnegoProperties
class SpnegoProperties extends Object implements Serializable- serialVersionUID:
- 8084143496524446970L
-
Serialized Fields
-
alternativeRemoteHostAttribute
String alternativeRemoteHostAttribute
Alternative header name to use in order to find the host address. -
dnsTimeout
String dnsTimeout
When validating clients, specifies the DNS timeout used to look up an address. -
hostNameClientActionStrategy
String hostNameClientActionStrategy
The bean id of a webflow action whose job is to evaluate the client host to see if the request is authorized for spnego. Supported strategies includehostnameSpnegoClientAction
where CAS checks to see if the request’s remote hostname matches a predefine pattern. andldapSpnegoClientAction
where CAS checks an LDAP instance for the remote hostname, to locate a pre-defined attribute whose mere existence would allow the webflow to resume to SPNEGO. -
hostNamePatternString
String hostNamePatternString
A regex pattern that indicates whether the client host name is allowed for spnego. -
ipsToCheckPattern
String ipsToCheckPattern
A regex pattern that indicates whether the client IP is allowed for spnego. -
ldap
SpnegoLdapProperties ldap
LDAP settings for spnego to validate clients, etc. -
mixedModeAuthentication
boolean mixedModeAuthentication
If true, does not terminate authentication and allows CAS to resume and fallback to normal authentication means such as uid/psw via the login page. If disallowed, considers spnego authentication to be final in the event of failures. -
name
String name
Name of the authentication handler. -
ntlmAllowed
boolean ntlmAllowed
Allows authentication if spnego credential is marked as NTLM. -
order
int order
The order of the authentication handler in the chain. -
poolSize
int poolSize
The size of the pool used to validate SPNEGO tokens. A pool is used to provider better performance than what was previously offered by the simple LombokSynchronized
annotation. -
poolTimeout
String poolTimeout
The timeout of the pool used to validate SPNEGO tokens. -
principal
PersonDirectoryPrincipalResolverProperties principal
Password encoding settings for this authentication. -
principalTransformation
PrincipalTransformationProperties principalTransformation
This is principal transformation properties. -
principalWithDomainName
boolean principalWithDomainName
If specified, will create the principal by ths name on successful authentication. -
properties
List<SpnegoAuthenticationProperties> properties
Individual authentication settings for spengo that are grouped and fed to the spnego authentication object to form a collection. -
send401OnAuthenticationFailure
boolean send401OnAuthenticationFailure
If the authenticated principal cannot be determined from the spegno credential, will set the http status code to 401. -
spnegoAttributeName
String spnegoAttributeName
In case LDAP is used to validate clients, this is the attribute that indicates the host. -
supportedBrowsers
String supportedBrowsers
Begins negotiating spnego if the user-agent is one of the supported browsers. -
system
SpnegoSystemProperties system
Spnego settings that apply as system properties. -
webflow
WebflowAutoConfigurationProperties webflow
The webflow configuration.
-
-
Class org.apereo.cas.configuration.model.support.spnego.SpnegoSystemProperties
class SpnegoSystemProperties extends Object implements Serializable- serialVersionUID:
- -7213507143858237596L
-
Serialized Fields
-
kerberosConf
String kerberosConf
The Kerberos conf. As with all Kerberos installations, a Kerberos Key Distribution Center (KDC) is required. It needs to contain the user name and password you will use to be authenticated to Kerberos. As with most Kerberos installations, a Kerberos configuration file krb5.conf is consulted to determine such things as the default realm and KDC. Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. The path to the configuration file must typically be defined as an absolute path. -
kerberosDebug
String kerberosDebug
The Kerberos debug. -
kerberosKdc
String kerberosKdc
The Kerberos kdc. -
kerberosRealm
String kerberosRealm
The Kerberos realm. -
loginConf
String loginConf
The Login conf.Absolute path to the jaas login configuration file. This should define the spnego authentication details. Make sure you have at least specified the JCIFS Service Principal defined. -
useSubjectCredsOnly
boolean useSubjectCredsOnly
The Use subject creds only.
-
-
-
Package org.apereo.cas.configuration.model.support.surrogate
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateAuthenticationProperties
class SurrogateAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- -2088813217398883623L
-
Serialized Fields
-
groovy
SurrogateGroovyAuthenticationProperties groovy
Locate surrogate accounts via a Groovy resource. -
jdbc
SurrogateJdbcAuthenticationProperties jdbc
Locate surrogate accounts via a JDBC resource. -
json
SurrogateJsonAuthenticationProperties json
Locate surrogate accounts via a JSON resource. -
ldap
SurrogateLdapAuthenticationProperties ldap
Locate surrogate accounts via an LDAP server. -
mail
EmailProperties mail
Email settings for notifications. -
principal
PersonDirectoryPrincipalResolverProperties principal
Principal construction settings. -
rest
SurrogateRestfulAuthenticationProperties rest
Locate surrogate accounts via a REST resource. -
separator
String separator
The separator character used to distinguish between the surrogate account and the admin account. -
simple
SurrogateSimpleAuthenticationProperties simple
Locate surrogate accounts via CAS configuration, hardcoded as properties. -
sms
SmsProperties sms
SMS settings for notifications. -
tgt
SurrogateAuthenticationTicketGrantingTicketProperties tgt
Settings related to tickets issued for surrogate session, their expiration policy, etc.
-
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateAuthenticationTicketGrantingTicketProperties
class SurrogateAuthenticationTicketGrantingTicketProperties extends Object implements Serializable- serialVersionUID:
- 2077366413438267330L
-
Serialized Fields
-
timeToKillInSeconds
long timeToKillInSeconds
Timeout in seconds to kill the surrogate session and consider tickets expired.
-
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateGroovyAuthenticationProperties
class SurrogateGroovyAuthenticationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 1588367681439517829L
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateJdbcAuthenticationProperties
class SurrogateJdbcAuthenticationProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 8970195444880123796L
-
Serialized Fields
-
surrogateAccountQuery
String surrogateAccountQuery
SQL query to use in order to retrieve the list of qualified accounts for impersonation for a given admin user. -
surrogateSearchQuery
String surrogateSearchQuery
Surrogate query to use to determine whether an admin user can impersonate another user. The query must return an integer count of greater than zero.
-
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateJsonAuthenticationProperties
class SurrogateJsonAuthenticationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 3599367681439517829L
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateLdapAuthenticationProperties
class SurrogateLdapAuthenticationProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -3848837302921751926L
-
Serialized Fields
-
memberAttributeName
String memberAttributeName
Attribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation. All attribute values are then compared against the pattern you specify inSurrogateLdapAuthenticationProperties.getMemberAttributeValueRegex()
. -
memberAttributeValueRegex
String memberAttributeValueRegex
A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation. The regular expression pattern is expected to contain at least a single group whose value on a successful match indicates the qualified impersonated user by admin. -
surrogateSearchFilter
String surrogateSearchFilter
LDAP search filter used to locate the surrogate account. The query is expected to determine whether the primary user is authorized to impersonate the given account. These fields may be referred to in the LDAP search query via{user}
and{surrogate}
placeholders. If the query result yields a value that points to an LDAP entry, impersonation is authorized for the given accounts.An example might be
(invalid input: '&'(uid={user})(xyzMemberOf=actAs:{surrogate}))
-
surrogateValidationFilter
String surrogateValidationFilter
An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted viaSurrogateLdapAuthenticationProperties.getSurrogateSearchFilter()
. You can use this validation filter to ensure the surrogate/impersonatee does exist in LDAP. The LDAP filter may use{surrogate}
as a placeholder in the filter to locate the surrogate account.An example might be:
(invalid input: '&'(uid={surrogate})(authorized=TRUE))}
-
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateRestfulAuthenticationProperties
class SurrogateRestfulAuthenticationProperties extends RestEndpointProperties implements Serializable- serialVersionUID:
- 8152273816132989085L
-
Class org.apereo.cas.configuration.model.support.surrogate.SurrogateSimpleAuthenticationProperties
class SurrogateSimpleAuthenticationProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 16938920863432222L
-
-
Package org.apereo.cas.configuration.model.support.syncope
-
Class org.apereo.cas.configuration.model.support.syncope.BaseSyncopeProperties
class BaseSyncopeProperties extends Object implements Serializable- serialVersionUID:
- 98513672245088L
-
Class org.apereo.cas.configuration.model.support.syncope.BaseSyncopeSearchProperties
class BaseSyncopeSearchProperties extends BaseSyncopeProperties implements Serializable- serialVersionUID:
- 18257222412164L
-
Serialized Fields
-
attributeMappings
Map<String,
String> attributeMappings Map of attributes that optionally may be used to control the names of the collected attributes from Syncope. If an attribute is provided by Syncope, it can be listed here as the key of the map with a value that should be the name of that attribute as collected and recorded by CAS. For example, the conventionlastLoginDate->lastDate
will process the Syncope attributelastLoginDate
and will internally rename that tolastDate
. If no mapping is specified, CAS defaults will be used instead. -
basicAuthPassword
String basicAuthPassword
Specify the password for REST authentication. -
basicAuthUsername
String basicAuthUsername
Specify the username for REST authentication. -
headers
Map<String,
String> headers Headers, defined as a Map, to include in the request when making the REST call. Will overwrite any header that CAS is pre-defined to send and include in the request. Key in the map should be the header name and the value in the map should be the header value. -
searchFilter
String searchFilter
User FIQL filter to use for searching. Syntax isusername=={user}
orusername=={0}
.
-
-
Class org.apereo.cas.configuration.model.support.syncope.SyncopeAccountManagementRegistrationProvisioningProperties
class SyncopeAccountManagementRegistrationProvisioningProperties extends BaseSyncopeProperties implements Serializable- serialVersionUID:
- 5555936823374022021L
-
Serialized Fields
-
basicAuthPassword
String basicAuthPassword
Specify the password for REST authentication. -
basicAuthUsername
String basicAuthUsername
Specify the username for REST authentication. -
headers
Map<String,
String> headers Headers, defined as a Map, to include in the request when making the REST call. Will overwrite any header that CAS is pre-defined to send and include in the request. Key in the map should be the header name and the value in the map should be the header value. -
realm
String realm
Syncope realm used for user provisioning. Realms define a hierarchical security domain tree, primarily meant for containing users. The root realm contains everything, and other realms can be seen as containers that split up the total number of entities into smaller pools.
-
-
Class org.apereo.cas.configuration.model.support.syncope.SyncopeAuthenticationProperties
class SyncopeAuthenticationProperties extends BaseSyncopeProperties implements Serializable- serialVersionUID:
- -2446926316502297496L
-
Serialized Fields
-
attributeMappings
Map<String,
String> attributeMappings Map of attributes that optionally may be used to control the names of the collected attributes from Syncope. If an attribute is provided by Syncope, it can be listed here as the key of the map with a value that should be the name of that attribute as collected and recorded by CAS. For example, the conventionlastLoginDate->lastDate
will process the Syncope attributelastLoginDate
and will internally rename that tolastDate
. If no mapping is specified, CAS defaults will be used instead. In other words, this settings allows one to virtually rename and remap Syncopen attributes during the authentication event. -
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
name
String name
Name of the authentication handler. -
order
int order
The order of this authentication handler in the chain. -
passwordEncoder
PasswordEncoderProperties passwordEncoder
Password encoder settings for the authentication handler. -
principalTransformation
PrincipalTransformationProperties principalTransformation
This is principal transformation properties. -
provisioning
SyncopePrincipalProvisioningProperties provisioning
Handling just-in-time provisioning settings. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.
-
-
Class org.apereo.cas.configuration.model.support.syncope.SyncopePrincipalAttributesProperties
class SyncopePrincipalAttributesProperties extends BaseSyncopeSearchProperties implements Serializable- serialVersionUID:
- 98257222402164L
-
Serialized Fields
-
id
String id
A value can be assigned to this field to uniquely identify this resolver. -
order
int order
The order of this attribute repository in the chain of repositories. Can be used to explicitly position this source in chain and affects merging strategies. -
state
AttributeRepositoryStates state
Whether attribute resolution based on this source is enabled.
-
-
Class org.apereo.cas.configuration.model.support.syncope.SyncopePrincipalProvisioningProperties
class SyncopePrincipalProvisioningProperties extends BaseSyncopeSearchProperties implements Serializable- serialVersionUID:
- 98447332402164L
-
Serialized Fields
-
enabled
boolean enabled
Whether or not provisioning should be enabled with Syncope. -
realm
String realm
Syncope realm used for principal provisioning. Realms define a hierarchical security domain tree, primarily meant for containing users. The root realm contains everything, and other realms can be seen as containers that split up the total number of entities into smaller pools.
-
-
-
Package org.apereo.cas.configuration.model.support.themes
-
Class org.apereo.cas.configuration.model.support.themes.ThemeProperties
class ThemeProperties extends Object implements Serializable- serialVersionUID:
- 2248773823196496599L
-
Serialized Fields
-
-
Package org.apereo.cas.configuration.model.support.throttle
-
Class org.apereo.cas.configuration.model.support.throttle.Bucket4jThrottleProperties
class Bucket4jThrottleProperties extends BaseBucket4jProperties implements Serializable- serialVersionUID:
- 5813165633105563813L
-
Class org.apereo.cas.configuration.model.support.throttle.HazelcastThrottleProperties
class HazelcastThrottleProperties extends BaseHazelcastProperties implements Serializable- serialVersionUID:
- 5813165633105563813L
-
Class org.apereo.cas.configuration.model.support.throttle.JdbcThrottleProperties
class JdbcThrottleProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- -9199878384425691919L
-
Serialized Fields
-
auditQuery
String auditQuery
Audit query to execute against the database to locate audit records based on IP, user, date and an application code along with the relevant audit action. -
enabled
boolean enabled
Decide whether JDBC audits should be enabled.
-
-
Class org.apereo.cas.configuration.model.support.throttle.LdapThrottleProperties
class LdapThrottleProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- 7519847618333749780L
-
Serialized Fields
-
accountLockedAttribute
String accountLockedAttribute
Name of LDAP attribute that represents the account locked status. The value of the attribute is set to"true"
if the account is ever updated to indicated a locked status.
-
-
Class org.apereo.cas.configuration.model.support.throttle.ThrottleCoreProperties
class ThrottleCoreProperties extends Object implements Serializable- serialVersionUID:
- -1806129199319966518L
-
Serialized Fields
-
appCode
String appCode
Application code used to identify this application in the audit logs. -
headerName
String headerName
Request header name to use in order to extract a header value from the request. -
usernameParameter
String usernameParameter
Username parameter to use in order to extract the username from the request.
-
-
Class org.apereo.cas.configuration.model.support.throttle.ThrottleFailureProperties
class ThrottleFailureProperties extends Object implements Serializable- serialVersionUID:
- 7647772524660134142L
-
Serialized Fields
-
code
String code
Failure code to record in the audit log. Generally this indicates an authentication failure event. -
rangeSeconds
int rangeSeconds
Period of time in seconds for the threshold rate. -
threshold
int threshold
Number of failed login attempts for the threshold rate. -
throttleWindowSeconds
String throttleWindowSeconds
Indicate the number of seconds the account should remain in a locked/throttled state before it can be released to continue again. If no value is specified, the failure threshold and rate that is calculated would hold.
-
-
Class org.apereo.cas.configuration.model.support.throttle.ThrottleProperties
class ThrottleProperties extends Object implements Serializable- serialVersionUID:
- 6813165633105563813L
-
Serialized Fields
-
bucket4j
Bucket4jThrottleProperties bucket4j
Settings related to throttling requests using bucket4j. -
core
ThrottleCoreProperties core
Core throttling settings. -
failure
ThrottleFailureProperties failure
Throttling failure events. -
hazelcast
HazelcastThrottleProperties hazelcast
Settings related to throttling requests using hazelcast. -
jdbc
JdbcThrottleProperties jdbc
Record authentication throttling events in a JDBC resource. -
ldap
LdapThrottleProperties ldap
Settings related to throttling requests using LDAP. -
schedule
SchedulingProperties schedule
Scheduler settings to clean up throttled attempts.
-
-
-
Package org.apereo.cas.configuration.model.support.token
-
Class org.apereo.cas.configuration.model.support.token.TokenAuthenticationProperties
class TokenAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 6016124091895278265L
-
Serialized Fields
-
credentialCriteria
String credentialCriteria
A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:- 1) A regular expression pattern that is tested against the credential identifier.
- 2) A fully qualified class name of your own design that implements
Predicate
. - 3) Path to an external Groovy script that implements the same interface.
-
crypto
EncryptionOptionalSigningOptionalJwtCryptographyProperties crypto
Crypto settings. -
name
String name
Name of the authentication handler. -
order
int order
Order of the authentication handler in the chain. -
ssoTokenEnabled
boolean ssoTokenEnabled
When set to true, will generate a token and store it as an authentication attribute into the single sign-on session. This token can be used later on for token-based authentication attempts, and should allow SSO access to the server. -
state
AuthenticationHandlerStates state
Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated. -
webflow
WebflowAutoConfigurationProperties webflow
The webflow configuration.
-
-
-
Package org.apereo.cas.configuration.model.support.trusted
-
Class org.apereo.cas.configuration.model.support.trusted.TrustedAuthenticationProperties
class TrustedAuthenticationProperties extends Object implements Serializable- serialVersionUID:
- 279410895614233349L
-
Serialized Fields
-
attributeHeaderPatterns
List<String> attributeHeaderPatterns
Regular expression that is applied to all request headers to extract them as principal attributes. The comparison is case insensitive. The pattern should use regular expression groups to extract inner matches from a header value. -
name
String name
Indicates the name of the authentication handler. -
order
Integer order
Order of the authentication handler in the chain. -
personDirectory
PersonDirectoryPrincipalResolverProperties personDirectory
Principal resolution settings after successful authentication attempts. -
remotePrincipalHeader
String remotePrincipalHeader
Indicates the name of the request header that may be extracted from the request as the indicated authenticated userid from the remote authn system.
-
-
-
Package org.apereo.cas.configuration.model.support.uma
-
Class org.apereo.cas.configuration.model.support.uma.UmaCoreProperties
class UmaCoreProperties extends Object implements Serializable- serialVersionUID:
- 865028615694269276L
-
Serialized Fields
-
issuer
String issuer
UMA issuer.
-
-
Class org.apereo.cas.configuration.model.support.uma.UmaPermissionTicketProperties
class UmaPermissionTicketProperties extends Object implements Serializable- serialVersionUID:
- 6624128522839644377L
-
Serialized Fields
-
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the UMA permission token and expire it.
-
-
Class org.apereo.cas.configuration.model.support.uma.UmaProperties
class UmaProperties extends Object implements Serializable- serialVersionUID:
- 865028615694269276L
-
Serialized Fields
-
core
UmaCoreProperties core
Handles core settings. -
permissionTicket
UmaPermissionTicketProperties permissionTicket
Handles settings related to permission tickets. -
requestingPartyToken
UmaRequestingPartyTokenProperties requestingPartyToken
Handles settings related to rpt tokens. -
resourceSet
UmaResourceSetProperties resourceSet
Handles settings related to management of resource-sets, etc.
-
-
Class org.apereo.cas.configuration.model.support.uma.UmaRequestingPartyTokenProperties
class UmaRequestingPartyTokenProperties extends Object implements Serializable- serialVersionUID:
- 3988708361481340920L
-
Serialized Fields
-
jwksFile
SpringResourceProperties jwksFile
Path to the JWKS file that is used to sign the rpt token. -
maxTimeToLiveInSeconds
String maxTimeToLiveInSeconds
Hard timeout to kill the RP token and expire it.
-
-
Class org.apereo.cas.configuration.model.support.uma.UmaResourceSetJpaProperties
class UmaResourceSetJpaProperties extends AbstractJpaProperties implements Serializable- serialVersionUID:
- 210435146313504995L
-
Class org.apereo.cas.configuration.model.support.uma.UmaResourceSetProperties
class UmaResourceSetProperties extends Object implements Serializable- serialVersionUID:
- 215435145313504895L
-
Serialized Fields
-
jpa
UmaResourceSetJpaProperties jpa
Store resource-sets and policies via JPA.
-
-
-
Package org.apereo.cas.configuration.model.support.wsfed
-
Class org.apereo.cas.configuration.model.support.wsfed.GroovyWsFederationDelegationProperties
class GroovyWsFederationDelegationProperties extends SpringResourceProperties implements Serializable- serialVersionUID:
- 8079027843747126083L
-
Class org.apereo.cas.configuration.model.support.wsfed.WsFederationDelegatedCookieProperties
class WsFederationDelegatedCookieProperties extends PinnableCookieProperties implements Serializable- serialVersionUID:
- 7392972818105536350L
-
Serialized Fields
-
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings that determine how the cookie should be signed and encrypted.
-
-
Class org.apereo.cas.configuration.model.support.wsfed.WsFederationDelegationProperties
class WsFederationDelegationProperties extends Object implements Serializable- serialVersionUID:
- 5743971334977239938L
-
Serialized Fields
-
attributeMutatorScript
GroovyWsFederationDelegationProperties attributeMutatorScript
Path to attribute mutator groovy script that allows one to modify wsfed attributes before establishing a final principal. -
attributeResolverEnabled
boolean attributeResolverEnabled
Whether CAS should enable its own attribute resolution machinery after having received a response from wsfed. -
attributesType
String attributesType
Indicates how attributes should be recorded into the principal object. Useful if you wish to additionally resolve attributes on top of what wsfed provides. Accepted values areCAS,WSFED,BOTH
. -
autoRedirectType
DelegationAutoRedirectTypes autoRedirectType
Whether CAS should auto redirect to this wsfed instance. -
cookie
WsFederationDelegatedCookieProperties cookie
Signing/encryption settings related to managing the cookie that is used to keep track of the session. -
encryptionCertificate
String encryptionCertificate
The path to the public key/certificate used to handle and verify encrypted assertions. -
encryptionPrivateKey
String encryptionPrivateKey
The path to the private key used to handle and verify encrypted assertions. -
encryptionPrivateKeyPassword
String encryptionPrivateKeyPassword
The private key password. -
id
String id
Internal identifier for this wsfed configuration. If undefined, the identifier would be auto-generated by CAS itself. In the event that there is more than on CAS server defined in a clustered deployment, this identifier must be statically defined in the configuration. -
identityAttribute
String identityAttribute
The attribute extracted from the assertion and used to construct the CAS principal id. -
identityProviderIdentifier
String identityProviderIdentifier
The entity id or the identifier of the Wsfed instance. -
identityProviderUrl
String identityProviderUrl
Wsfed identity provider url. -
name
String name
Name of the authentication handler. -
order
int order
The order of the authentication handler in the chain. -
principal
PersonDirectoryPrincipalResolverProperties principal
Principal resolution settings. -
relyingPartyIdentifier
String relyingPartyIdentifier
The identifier for CAS (RP) registered with wsfed. -
signingCertificateResources
String signingCertificateResources
Locations of signing certificates used to verify assertions. Locations could be specified as static file-system resources(certificates) or they could also be federation XML metadata, either as a URL or an XML file. If federation metadata XML is provided, the signing certificate is extracted from theIDPSSODescriptor
's key descriptor that is marked for signing. -
tolerance
String tolerance
Tolerance value used to skew assertions to support clock drift.
-
-
Class org.apereo.cas.configuration.model.support.wsfed.WsFederationIdentityProviderProperties
class WsFederationIdentityProviderProperties extends Object implements Serializable- serialVersionUID:
- 5190493517277610788L
-
Serialized Fields
-
realm
String realm
At this point, by default security token service’s endpoint operate using a single realm configuration and identity provider configuration is only able to recognize and request tokens for a single realm. Registration of clients need to ensure this value is matched. -
realmName
String realmName
Realm name.
-
-
Class org.apereo.cas.configuration.model.support.wsfed.WsFederationProperties
class WsFederationProperties extends Object implements Serializable- serialVersionUID:
- -8679379856243224647L
-
Serialized Fields
-
idp
WsFederationIdentityProviderProperties idp
Settings related to the wed-fed identity provider. -
sts
WsFederationSecurityTokenServiceProperties sts
Settings related to the we-fed security token service.
-
-
Class org.apereo.cas.configuration.model.support.wsfed.WsFederationSecurityTokenServiceProperties
class WsFederationSecurityTokenServiceProperties extends Object implements Serializable- serialVersionUID:
- -1155140161252595793L
-
Serialized Fields
-
conditionsAcceptClientLifetime
boolean conditionsAcceptClientLifetime
Set whether client lifetime is accepted. -
conditionsFailLifetimeExceedance
boolean conditionsFailLifetimeExceedance
If requested lifetime exceeds shall it fail (default) or overwrite with maximum lifetime. -
conditionsFutureTimeToLive
String conditionsFutureTimeToLive
Get how long (in seconds) a client-supplied Created Element is allowed to be in the future. The default is 60 seconds to avoid common problems relating to clock skew. -
conditionsLifetime
String conditionsLifetime
Set the default lifetime in seconds for issued SAML tokens. -
conditionsMaxLifetime
String conditionsMaxLifetime
Set the maximum lifetime in seconds for issued SAML tokens. -
crypto
EncryptionJwtSigningJwtCryptographyProperties crypto
Crypto settings used to secure calls between the idp and the sts. -
customClaims
List<String> customClaims
Collection of fully-qualified claims prefixed with the appropriate namespace that are expected to be released via attribute release policy. -
encryptionKeystoreFile
String encryptionKeystoreFile
Keystore path used to encrypt tokens. -
encryptionKeystorePassword
String encryptionKeystorePassword
Keystore password used to encrypt tokens. -
encryptTokens
boolean encryptTokens
Whether tokens generated by STS should encrypted. -
realm
WsFederationSecurityTokenServiceRealmProperties realm
Realm definition settings that define this CAS server. -
signingKeystoreFile
String signingKeystoreFile
Keystore path used to sign tokens. -
signingKeystorePassword
String signingKeystorePassword
Keystore password used to sign tokens. -
signTokens
boolean signTokens
Set whether the provided token will be signed or not. Default is true. -
subjectNameIdFormat
String subjectNameIdFormat
When generating a SAML token, indicates the subject name-id format to use. Accepted values are:- unspecified
- transient
- persistent
- entity
-
subjectNameQualifier
String subjectNameQualifier
When generating a SAML token, indicates the subject name-id qualifier to use.
-
-
Class org.apereo.cas.configuration.model.support.wsfed.WsFederationSecurityTokenServiceRealmProperties
class WsFederationSecurityTokenServiceRealmProperties extends Object implements Serializable- serialVersionUID:
- -2209230334376432934L
-
Serialized Fields
-
issuer
String issuer
Issuer/name of the realm identified and registered with STS. -
keyPassword
String keyPassword
Key alias associated with the this realm. -
keystoreAlias
String keystoreAlias
Key alias associated with the this realm. -
keystoreFile
String keystoreFile
Keystore path associated with the this realm. -
keystorePassword
String keystorePassword
Keystore password associated with the this realm.
-
-
-
Package org.apereo.cas.configuration.model.support.x509
-
Class org.apereo.cas.configuration.model.support.x509.BaseAlternativePrincipalResolverProperties
class BaseAlternativePrincipalResolverProperties extends Object implements Serializable- serialVersionUID:
- 4770829035414038072L
-
Serialized Fields
-
alternatePrincipalAttribute
String alternatePrincipalAttribute
Attribute name that will be used by X509 principal resolvers if the main attribute in the certificate is not present. This only applies to principal resolvers that are looking for attributes in the certificate that are not common to all certificates. (e.g.SUBJECT_ALT_NAME
,CN_EDIPI
)This assumes you would rather get something like the
subjectDn
rather thannull
wherenull
would allow falling through to another authentication mechanism.Currently supported values are:
subjectDn
,sigAlgOid
,subjectX500Principal
.
-
-
Class org.apereo.cas.configuration.model.support.x509.CnEdipiPrincipalResolverProperties
class CnEdipiPrincipalResolverProperties extends BaseAlternativePrincipalResolverProperties implements Serializable- serialVersionUID:
- 2622326703782668141L
-
Serialized Fields
-
extractEdipiAsAttribute
boolean extractEdipiAsAttribute
Whether to extract EDIPI as an attribute, regardless of principal resolver type.
-
-
Class org.apereo.cas.configuration.model.support.x509.Rfc822EmailPrincipalResolverProperties
class Rfc822EmailPrincipalResolverProperties extends BaseAlternativePrincipalResolverProperties implements Serializable- serialVersionUID:
- -8696449609399074305L
-
Class org.apereo.cas.configuration.model.support.x509.SerialNoDnPrincipalResolverProperties
class SerialNoDnPrincipalResolverProperties extends Object implements Serializable- serialVersionUID:
- 1259126639860604739L
-
Serialized Fields
-
serialNumberPrefix
String serialNumberPrefix
The serial number prefix used for principal resolution when type is set toX509Properties.PrincipalTypes.SERIAL_NO_DN
. -
valueDelimiter
String valueDelimiter
Value delimiter used for principal resolution when type is set toX509Properties.PrincipalTypes.SERIAL_NO_DN
.
-
-
Class org.apereo.cas.configuration.model.support.x509.SerialNoPrincipalResolverProperties
class SerialNoPrincipalResolverProperties extends Object implements Serializable- serialVersionUID:
- -4935371089672080311L
-
Serialized Fields
-
principalHexSNZeroPadding
boolean principalHexSNZeroPadding
If radix hex padding should be used whenX509Properties.PrincipalTypes
isX509Properties.PrincipalTypes.SERIAL_NO
. -
principalSNRadix
int principalSNRadix
Radix used whenX509Properties.PrincipalTypes
isX509Properties.PrincipalTypes.SERIAL_NO
.
-
-
Class org.apereo.cas.configuration.model.support.x509.SubjectAltNamePrincipalResolverProperties
class SubjectAltNamePrincipalResolverProperties extends BaseAlternativePrincipalResolverProperties implements Serializable- serialVersionUID:
- -8696449609399074305L
-
Class org.apereo.cas.configuration.model.support.x509.SubjectDnPrincipalResolverProperties
class SubjectDnPrincipalResolverProperties extends Object implements Serializable- serialVersionUID:
- -1833042842488884318L
-
Serialized Fields
-
format
SubjectDnPrincipalResolverProperties.SubjectDnFormat format
Format of subject DN to use.
-
-
Class org.apereo.cas.configuration.model.support.x509.X509LdapProperties
class X509LdapProperties extends AbstractLdapSearchProperties implements Serializable- serialVersionUID:
- -1655068554291000206L
-
Serialized Fields
-
certificateAttribute
String certificateAttribute
The LDAP attribute that holds the certificate revocation list.
-
-
Class org.apereo.cas.configuration.model.support.x509.X509Properties
class X509Properties extends Object implements Serializable- serialVersionUID:
- -9032744084671270366L
-
Serialized Fields
-
cacheMaxElementsInMemory
int cacheMaxElementsInMemory
When CRLs are cached, indicate maximum number of elements kept in memory. -
cacheTimeToLiveSeconds
String cacheTimeToLiveSeconds
When CRLs are cached, indicate the time-to-live of cache items. -
checkAll
boolean checkAll
Whether revocation checking should check all resources, or stop at first one. -
checkKeyUsage
boolean checkKeyUsage
Deployer supplied setting to check the KeyUsage extension. -
cnEdipi
CnEdipiPrincipalResolverProperties cnEdipi
Principal resolver properties for CN_EDIPI resolver type. -
crlExpiredPolicy
String crlExpiredPolicy
If the CRL has expired, activate the this policy. Activated ifX509Properties.revocationChecker
isCRL
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
-
crlFetcher
String crlFetcher
Options to describe how to fetch CRL resources.To fetch CRLs, the following options are available:
RESOURCE
: By default, all revocation checks use fixed resources to fetch the CRL resource from the specified location.LDAP
: A CRL resource may be fetched from a pre-configured attribute, in the event that the CRL resource location is an LDAP URI.
-
crlResourceExpiredPolicy
String crlResourceExpiredPolicy
If the CRL resource has expired, activate the this policy. Activated ifX509Properties.revocationChecker
isRESOURCE
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
-
crlResources
List<String> crlResources
List of CRL resources to use for fetching. -
crlResourceUnavailablePolicy
String crlResourceUnavailablePolicy
If the CRL resource is unavailable, activate the this policy. Activated ifX509Properties.revocationChecker
isRESOURCE
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
-
crlUnavailablePolicy
String crlUnavailablePolicy
If the CRL is unavailable, activate the this policy. Activated ifX509Properties.revocationChecker
isCRL
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
-
extractCert
boolean extractCert
Whether to extract certificate from request. The default implementation extracts certificate from header via Tomcat SSLValve parsing logic and using theX509Properties.DEFAULT_CERT_HEADER_NAME
header. Must be false by default because if someone enables it they need to make sure they are behind proxy that won't let the header arrive directly from the browser. -
ldap
X509LdapProperties ldap
LDAP settings when fetching CRLs from LDAP. -
maxPathLength
int maxPathLength
Deployer supplied setting for maximum pathLength in a SUPPLIED certificate. -
maxPathLengthAllowUnspecified
boolean maxPathLengthAllowUnspecified
Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate. -
mixedMode
boolean mixedMode
Determine whether X509 authentication should allow other forms of authentication such as username/password. If this setting is turned off, typically the ability to view the login form as the primary form of authentication is turned off. -
name
String name
The authentication handler name. -
order
int order
The order of the authentication handler in the chain. -
principal
PersonDirectoryPrincipalResolverProperties principal
Principal resolution properties. -
principalDescriptor
String principalDescriptor
The principal descriptor used for principal resolution when type is set toX509Properties.PrincipalTypes.SUBJECT
. -
principalTransformation
PrincipalTransformationProperties principalTransformation
Principal transformation properties. -
principalType
X509Properties.PrincipalTypes principalType
Indicates the type of principal resolution for X509. -
refreshIntervalSeconds
int refreshIntervalSeconds
The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources. -
regExSubjectDnPattern
String regExSubjectDnPattern
The pattern that authorizes an acceptable certificate by its subject dn. -
regExTrustedIssuerDnPattern
String regExTrustedIssuerDnPattern
The compiled pattern supplied by the deployer. -
requireKeyUsage
boolean requireKeyUsage
Deployer supplied setting to force require the correct KeyUsage extension. -
revocationChecker
String revocationChecker
Revocation certificate checking can be carried out in one of the following ways:NONE
: No revocation is performed.CRL
: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field. Caches are available to prevent excessive IO against CRL endpoints. CRL data is fetched if does not exist in the cache or if it is expired.RESOURCE
: A CRL hosted at a fixed location. The CRL is fetched at periodic intervals and cached.
-
revocationPolicyThreshold
int revocationPolicyThreshold
Threshold value if expired CRL revocation policy is to be handled via threshold. -
rfc822Email
Rfc822EmailPrincipalResolverProperties rfc822Email
Principal resolver properties for RFC822_EMAIL resolver type. -
serialNo
SerialNoPrincipalResolverProperties serialNo
Principal resolver properties for SERIAL_NO resolver type. -
serialNoDn
SerialNoDnPrincipalResolverProperties serialNoDn
Principal resolver properties for SERIAL_NO_DN resolver type. -
sslHeaderName
String sslHeaderName
The name of the header to consult for an X509 cert (e.g. when behind proxy). -
subjectAltName
SubjectAltNamePrincipalResolverProperties subjectAltName
Principal resolver properties for SUBJECT_ALT_NAME resolver type. -
subjectDn
SubjectDnPrincipalResolverProperties subjectDn
Principal resolver properties for SUBJECT_DN resolver type. -
throwOnFetchFailure
boolean throwOnFetchFailure
When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors. -
webflow
X509WebflowAutoConfigurationProperties webflow
The webflow configuration.
-
-
Class org.apereo.cas.configuration.model.support.x509.X509WebflowAutoConfigurationProperties
class X509WebflowAutoConfigurationProperties extends WebflowAutoConfigurationProperties implements Serializable- serialVersionUID:
- 2744305877450488111L
-
Serialized Fields
-
clientAuth
String clientAuth
Indicate the strategy that should be used to enforce client x509 authentication. Accepted values aretrue, false, want
. -
port
int port
Port that is used to enact x509 client authentication as a separate connector. Configuration of a separate server connector and port allows the separation of client-auth functionality from the rest of the server, allowing for opt-in behavior.To activate, a non-zero port must be specified.
-
-