The error 'map[[empty]]'] comes from the fact that the webflow from pac4j doesn't catch correctly the error sent by ' *AbstractPac4jAuthenticationHandler'. *
*From my point of view the solution would be to modify the webflow in order to "accept" your exception and to redirect to a new action you have defined.* *2 solutions, you can override **org.apereo.cas.web.flow.Pac4jWebflowConfigurer (faster) or extend the webflow via a new own configuration (nicer).* *Modify the webflow by adding a new TransitionExecutingFlowExecutionExceptionHandler or adding a new TransitionSet catching the error into *clientAction*.* *See some example from org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer* *See as well https://github.com/apereo/cas/pull/3138 that shows how the webflow can be modify in the case of pac4j* On Tuesday, January 23, 2018 at 4:10:34 PM UTC+1, Oscar del Pozo wrote: > > Hi! > > I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but > I'm facing a problem with the Google OAuth authentication. > > I have configured a delegate authentication to Google with pac4j > successfully but I need to make a modification, only allow the emails which > end with *@companyname.com <http://companyname.com> *(I do agree that > this kind of things should not be done at CAS because this is about > authorization and not authentication, but I have to) > > I have added a new AuthorizationGenerator to the Google2Client instance > so, after the retrieve the user profile with the *Google2ProfileDefinition > *class, I make my validation and in case that the user email is not a > valid one, I set the profile identifier no blank. The blank > identifier causes a *FailedLoginException *at > *AbstractPac4jAuthenticationHandler.* > > Everything seems to work fine but finally, I get the following exception > and the CAS error page is shown. > > > 2018-01-23 15:58:48,581 DEBUG >> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <add >> access_token: ya29.Glx....... to profile> >> 2018-01-23 15:58:48,581 DEBUG >> [org.pac4j.oauth.profile.google2.Google2Profile] - <adding => key: >> access_token / value:XXX-XXX / class java.lang.String> >> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - >> <profile: #Google2Profile# | id: 112368488543222222114 | attributes: >> {name.familyName=del Pozo, >> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], >> access_token=..., gender=MALE, displayName=Oscar del Pozo, >> name.givenName=Oscar, ... |> >> 2018-01-23 15:58:49,599 WARN >> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] >> - <Invalid user email> >> 2018-01-23 15:58:49,599 DEBUG >> [org.pac4j.oauth.profile.google2.Google2Profile] >> - <identifier: > >> 2018-01-23 15:58:51,789 ERROR >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <Authentication has failed. Credentials may be incorrect or CAS cannot find >> authentication handler that supports >> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >> >> of type [ClientCredential].> >> 2018-01-23 15:58:53,216 INFO >> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >> trail record BEGIN >> ============================================================= >> WHO: null >> WHAT: Supplied credentials: >> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the >> authentication has actually failed: >> https://github.com/apereo/inspektr/pull/10) >> APPLICATION: CAS >> WHEN: Tue Jan 23 15:58:53 CET 2018 >> CLIENT IP ADDRESS: 192.168.56.1 >> SERVER IP ADDRESS: 192.168.56.1 >> ============================================================= >> > >> 2018-01-23 15:58:53,247 ERROR >> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to >> error page from request [/login] due to exception [Exception thrown >> executing >> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e >> >> in state 'clientAction' of flow 'login' -- action execution attributes were >> 'map[[empty]]']> > > at >> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) >> >> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >> at >> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >> >> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >> at >> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >> >> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >> [...] >> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 >> errors, 0 successes >> at >> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >> >> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >> at >> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >> >> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >> at >> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >> >> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] > > > > Is my approach correct?. Is it possible to do not show this CAS error and > go to the 403 view? > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaf67c8f-e12a-499e-9493-74f1aa08942f%40apereo.org.
