Redis FIDO2 WebAuthn Multifactor Registration
Device registrations may be kept inside a Redis database instance by including the following module in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-webauthn-redis</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
}
The following settings and properties are available from the CAS configuration catalog:
cas.authn.mfa.web-authn.redis.cluster.nodes[0].host=
Server's host address.
|
cas.authn.mfa.web-authn.redis.cluster.nodes[0].port=
Server's port number.
|
cas.authn.mfa.web-authn.redis.cluster.nodes[0].replica-of=
Set the id of the master node.
|
cas.authn.mfa.web-authn.redis.cluster.nodes[0].type=
Indicate the type/role of this node.
Accepted values are:
|
cas.authn.mfa.web-authn.redis.cluster.password=
The cluster connection's password.
|
cas.authn.mfa.web-authn.redis.pool.enabled=false
Enable the pooling configuration.
|
cas.authn.mfa.web-authn.redis.sentinel.master=
Name of Redis server.
|
cas.authn.mfa.web-authn.redis.database=0
Database index used by the connection factory.
|
cas.authn.mfa.web-authn.redis.enabled=true
Whether the module is enabled or not, defaults to true.
|
cas.authn.mfa.web-authn.redis.host=localhost
Redis server host.
|
cas.authn.mfa.web-authn.redis.password=
Login password of the redis server.
|
cas.authn.mfa.web-authn.redis.port=6379
Redis server port.
|
cas.authn.mfa.web-authn.redis.cluster.adaptive-topology-refresh=false
Whether adaptive topology refreshing using all available refresh triggers should be used.
|
cas.authn.mfa.web-authn.redis.cluster.dynamic-refresh-sources=true
Whether to discover and query all cluster nodes for obtaining the cluster topology. When set to false, only the initial seed nodes are used as sources for topology discovery.
|
cas.authn.mfa.web-authn.redis.cluster.max-redirects=0
The max number of redirects to follow.
|
cas.authn.mfa.web-authn.redis.cluster.nodes=
List of nodes available in the redis cluster.
|
cas.authn.mfa.web-authn.redis.cluster.nodes[0].id=
Identifier of this node.
|
cas.authn.mfa.web-authn.redis.cluster.nodes[0].name=
Name of this node.
|
cas.authn.mfa.web-authn.redis.cluster.topology-refresh-period=
Enables periodic refresh of cluster topology and sets the refresh period. This settings supports the
|
cas.authn.mfa.web-authn.redis.pool.fairness=false
Returns whether or not the pool serves threads waiting to borrow objects fairly. True means that waiting threads are served as if waiting in a FIFO queue.
|
cas.authn.mfa.web-authn.redis.pool.lifo=true
Returns whether the pool has LIFO (last in, first out) behaviour with respect to idle objects - always returning the most recently used object from the pool, or as a FIFO (first in, first out) queue, where the pool always returns the oldest object in the idle object pool.
|
cas.authn.mfa.web-authn.redis.pool.max-active=8
Max number of connections that can be allocated by the pool at a given time. Use a negative value for no limit.
|
cas.authn.mfa.web-authn.redis.pool.max-idle=8
Max number of "idle" connections in the pool. Use a negative value to indicate an unlimited number of idle connections.
|
cas.authn.mfa.web-authn.redis.pool.max-wait=-1
Maximum amount of time (in milliseconds) a connection allocation should block before throwing an exception when the pool is exhausted. Use a negative value to block indefinitely.
|
cas.authn.mfa.web-authn.redis.pool.min-evictable-idle-time-millis=0
Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)). When non-positive, no objects will be evicted from the pool due to idle time alone.
|
cas.authn.mfa.web-authn.redis.pool.min-idle=0
Target for the minimum number of idle connections to maintain in the pool. This setting only has an effect if it is positive.
|
cas.authn.mfa.web-authn.redis.pool.num-tests-per-eviction-run=0
Sets the maximum number of objects to examine during each run (if any) of the idle object evictor thread. When positive, the number of tests performed for a run will be the minimum of the configured value and the number of idle instances in the pool. When negative, the number of tests performed will be ceil(getNumIdle()/ abs(getNumTestsPerEvictionRun())) which means that when the value is -n roughly one nth of the idle objects will be tested per run.
|
cas.authn.mfa.web-authn.redis.pool.soft-min-evictable-idle-time-millis=0
Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)), with the extra condition that at least minIdle object instances remain in the pool. This setting is overridden by getMinEvictableIdleTimeMillis() (that is, if getMinEvictableIdleTimeMillis() is positive, then getSoftMinEvictableIdleTimeMillis() is ignored).
|
cas.authn.mfa.web-authn.redis.pool.test-on-borrow=false
Returns whether objects borrowed from the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed, and a new attempt will be made to borrow an object from the pool.
|
cas.authn.mfa.web-authn.redis.pool.test-on-create=false
Returns whether objects created for the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, then borrowObject() will fail.
|
cas.authn.mfa.web-authn.redis.pool.test-on-return=false
Returns whether objects borrowed from the pool will be validated when they are returned to the pool via the returnObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. Returning objects that fail validation are destroyed rather then being returned the pool.
|
cas.authn.mfa.web-authn.redis.pool.test-while-idle=false
Returns whether objects sitting idle in the pool will be validated by the idle object evictor ( if any - see setTimeBetweenEvictionRunsMillis(long)). Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed.
|
cas.authn.mfa.web-authn.redis.sentinel.node=
list of host:port pairs.
|
cas.authn.mfa.web-authn.redis.connect-timeout=PT10S
Connection timeout. This settings supports the
|
cas.authn.mfa.web-authn.redis.protocol-version=RESP3
Redis protocol version.
|
cas.authn.mfa.web-authn.redis.read-from=
Setting that describes how Lettuce routes read operations to replica nodes. Note that modes referencing MASTER/SLAVE are deprecated (but still supported) in the Lettuce redis client dependency so migrate config to UPSTREAM/REPLICA. Available values are as follows:
|
cas.authn.mfa.web-authn.redis.scan-count=0
Redis scan count option. When and if specified, SCAN operations would be "counted" or limited by this serting. While SCAN does not provide guarantees about the number of elements returned at every iteration, it is possible to empirically adjust the behavior of SCAN using the COUNT option. Basically with COUNT the user specified the amount of work that should be done at every call in order to retrieve elements from the collection. This is just a hint for the implementation, however generally speaking this is what you could expect most of the times from the implementation.
|
cas.authn.mfa.web-authn.redis.share-native-connections=
The shared native connection is never closed by Lettuce connection, therefore it is not validated by default when connections are retrieved. If this setting is
|
cas.authn.mfa.web-authn.redis.timeout=PT60S
Command timeout. This settings supports the
|
cas.authn.mfa.web-authn.redis.uri=
Database URI.
|
cas.authn.mfa.web-authn.redis.use-ssl=false
Whether or not to use SSL for connection factory.
|
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty
, cas.some-property
, cas.some_property
are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas
. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be
recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system
property SKIP_CONFIG_VALIDATION
that should be set to true
. Additional validation processes are also handled
via Configuration Metadata and property migrations applied automatically on
startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value
. The index [0]
is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.