Hello everyone,
I have succesfully configured CAS 5.2.3 to work with CAS and
Spnego/kerberos, but i was not able to restrict spnego on certain
ip/hostname.
I looked into the code and i found this class : SpengoWebflowConfigurer
with the action "evaluateClientRequest" (which is described in the
configuration here : client-selection-strategy
<https://apereo.github.io/cas/5.2.x/installation/SPNEGO-Authentication.html#client-selection-strategy>
).
I tried to set the parameter cas.authn.spnego.hostNameClientActionStrategy
to hostnameSpnegoClientAction without success so i removed it since its
default value is "hostnameSpnegoClientAction"
I have a poor understanding of spring webflow but i figured out that this
method is supposed to trigger the "evaluateClientRequest" action
(configured in getHostNameClientActionStrategy)
private void createEvaluateSpnegoClientAction(final Flow flow) {
final ActionState evaluateClientRequest = createActionState(flow,
EVALUATE_SPNEGO_CLIENT,
createEvaluateAction(casProperties.getAuthn().getSpnego().
getHostNameClientActionStrategy()));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES,
START_SPNEGO_AUTHENTICATE));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO,
getStartState(flow)));
}
However, i don't understand how CAS makes the transition toward the
EVALUATE_SPNEGO_CLIENT state, i tried looking for a transition in the code
but i could'nt find any.
So i copied this class in my overlay project and made a few changes.
First i tried this :
private void augmentWebflowToStartSpnego(final Flow flow) {
final ActionState state = getState(flow,
CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class);
createTransitionForState(state,
CasWebflowConstants.TRANSITION_ID_SUCCESS, EVALUATE_SPNEGO_CLIENT, true);
}
And it worked ok as far as the "evaluate" part goes, i could see in the log
the HostNameSpnegoKnownClientSystemsFilterAction class working to decide if
my request should be authenticated with spnego or CAS.
But then the webflow entered a loop and ended up with a stackoverflow
exception.
So i changed this :
private void createEvaluateSpnegoClientAction(final Flow flow) {
final ActionState evaluateClientRequest = createActionState(flow,
EVALUATE_SPNEGO_CLIENT,
createEvaluateAction(casProperties.getAuthn().getSpnego().getHostNameClientActionStrategy()));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES,
START_SPNEGO_AUTHENTICATE));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO,
CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM));
}
And now everything is working.
My questions are :
- Since V 5.1.x the CAS documentation skip this step on webflow
configuration : spnego webflow configuration
<https://apereo.github.io/cas/5.0.x/installation/SPNEGO-Authentication.html#webflow-configuration>
(from
5.0.x), is it on purpose ? does this mean that the webflow should configure
itself regarding the client request evaluation? if so i have done something
wrong ? (i am clueless here, i have the feeling that modifying the class
SpengoWebflowConfigurer to make it work is somehow a bad practice ... )
- If what i did is right, why not make it the default behavior and set
these default values : hostNamePatternString =".+" (already the case)
and ipsToCheckPattern=".+" which would trigger Spnego authentication for
every request (if i am right) ...
Thank you for your time !
Arnaud
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b50d8a89-217b-4555-b3b8-fcf1fc3a873e%40apereo.org.
