Hi Charles Yes I did, but with my own development and my properties. I will check if I can implement with Client Access Strategy by implementing my own SPNEGO Service Access Strategy
Christian Poirier Mobile: 418-473-2824 2018-05-22 1:58 GMT-04:00 Charles Le Gallic <[email protected]>: > Hi Christian, > > Did you achieved to make IP based SPNEGO client selection works on CAS 5.x > ? > > In that case, is there any other configuration to setup in addition to > cas.properties configuration ? > > Regards, > > Charles > > <http://www.amoae.com/> > 12, impasse du Malrigou, 31140 Montberon > <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> > [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> > > > Le ven. 18 mai 2018 à 14:14, Christian Poirier <[email protected]> a > écrit : > >> Hi Charles >> >> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The >> webflow logic is built in the code. >> I will check if the implementation based on a >> RegisteredServiceAccessStrategy is possible. >> >> Christian Poirier >> Mobile: 418-473-2824 >> >> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <[email protected]>: >> >>> Hi Christian, >>> >>> Which version of CAS do you use ? >>> >>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML >>> spring configurations). SPNEGO client selection strategy was working on 4.x >>> version, but I cannot make it work after having upgrade to CAS 5.1.x.... >>> >>> Regards, >>> >>> Charles >>> >>> <http://www.amoae.com/> >>> 12, impasse du Malrigou, 31140 Montberon >>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >>> [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> >>> >>> >>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected]> a >>> écrit : >>> >>>> Hi Nicolas, >>>> >>>> In our organization, we need to let the user choose between the default >>>> login and SPNEGO upon a list of criteria and sometimes we need to go >>>> directly to the SPNEGO authentication upon other criteria. For this >>>> feature, I extended the SPNEGO module. I show a button with the label >>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular >>>> expression. When the service matches a regular expression and the IP >>>> address also matches its regular expression, I force SPNEGO authentication >>>> without giving the user the chance to authenticate otherwise. If none of >>>> the previous conditions are present, then the user must authenticate >>>> normally with his user ID and password. >>>> If you look the following webflow, you will find this logic inside. >>>> >>>> <var name="credentials" class="org.jasig.cas.authentication.principal. >>>> UsernamePasswordCredentials" /> >>>> >>>> <on-start> >>>> >>>> <evaluate expression="initialFlowSetupAction" /> >>>> >>>> <set name="flowScope.displaySPNegoButton" value="false" /> >>>> >>>> </on-start> >>>> >>>> >>>> <decision-state id="ticketGrantingTicketExistsCheck"> >>>> >>>> <if test="flowScope.ticketGrantingTicketId neq null" then= >>>> "hasServiceCheck" else="gatewayRequestCheck" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <decision-state id="gatewayRequestCheck"> >>>> >>>> <if test="externalContext.requestParameterMap['gateway'] neq '' >>>> && externalContext.requestParameterMap['gateway'] neq null >>>> && flowScope.service neq null" then=" >>>> gatewayServicesManagementCheck" else="startAuthenticateCheck" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <decision-state id="hasServiceCheck"> >>>> >>>> <if test="flowScope.service != null" then="renewRequestCheck" else= >>>> "viewGenericLoginSuccess" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <decision-state id="renewRequestCheck"> >>>> >>>> <if test="externalContext.requestParameterMap['renew'] neq '' >>>> && externalContext.requestParameterMap['renew'] neq null" then= >>>> "startAuthenticateCheck" else="generateServiceTicket" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <!-- >>>> >>>> The "warn" action makes the determination of whether to redirect >>>> directly to the requested >>>> >>>> service or display the "confirmation" page to go back to the >>>> server. >>>> >>>> --> >>>> >>>> <decision-state id="warn"> >>>> >>>> <if test="flowScope.warnCookieValue" then="showWarningView" else= >>>> "redirect" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <!-- >>>> >>>> <action-state id="startAuthenticate"> >>>> >>>> <action bean="x509Check" /> >>>> >>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>> >>>> <transition on="warn" to="warn" /> >>>> >>>> <transition on="error" to="generateLoginTicket" /> >>>> >>>> </action-state> >>>> >>>> --> >>>> >>>> <decision-state id="startAuthenticateCheck"> >>>> >>>> <if test="externalContext.requestParameterMap['spnego'] neq '' >>>> && externalContext.requestParameterMap['spnego'] neq null >>>> && externalContext.requestParameterMap['spnego'] eq 'off'" then >>>> ="generateLoginTicket" else="spnegoForceCheckAction" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <decision-state id="spnegoForceCheckAction"> >>>> >>>> <if test="externalContext.requestParameterMap['forcespnego'] neq '' >>>> && externalContext.requestParameterMap['forcespnego'] neq null >>>> && externalContext.requestParameterMap['forcespnego'] eq >>>> 'true'" then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> >>>> >>>> </decision-state> >>>> >>>> >>>> <action-state id="spnegoAppCheckAction"> >>>> >>>> <evaluate expression="spNegoAppCheck" /> >>>> >>>> <transition on="yes" to="spnegoIPCheckAction2" /> >>>> >>>> <transition on="no" to="spnegoIPCheckAction" /> >>>> >>>> </action-state> >>>> >>>> >>>> <action-state id="spnegoIPCheckAction"> >>>> >>>> <evaluate expression="spNegoIPCheck" /> >>>> >>>> <transition on="yes" to="generateLoginTicket" > >>>> >>>> <set name="flowScope.displaySPNegoButton" value="true" /> >>>> >>>> >>>> </transition> >>>> >>>> <transition on="no" to="generateLoginTicket" /> >>>> >>>> </action-state> >>>> >>>> >>>> <action-state id="spnegoIPCheckAction2"> >>>> >>>> <evaluate expression="spNegoIPCheck" /> >>>> >>>> <transition on="yes" to="startAuthenticate" /> >>>> >>>> <transition on="no" to="generateLoginTicket" /> >>>> >>>> </action-state> >>>> >>>> >>>> <action-state id="startAuthenticate"> >>>> >>>> <evaluate expression="negociateSpnego" /> >>>> >>>> <transition on="success" to="spnego" /> >>>> >>>> </action-state> >>>> >>>> >>>> <action-state id="spnego"> >>>> >>>> <evaluate expression="spnego" /> >>>> >>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>> >>>> <transition on="error" to="generateLoginTicket" /> >>>> >>>> </action-state> >>>> >>>> >>>> <action-state id="generateLoginTicket"> >>>> >>>> <evaluate expression="generateLoginTicketAction. >>>> generate(flowRequestContext)" /> >>>> >>>> <transition on="success" to="viewLoginForm" /> >>>> >>>> </action-state> >>>> >>>> >>>> Here are my new spnego.properties >>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the >>>> SPNEGO by changing the succes transition of initialLoginForm action-state >>>> to startSpnegoAuthenticate >>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate >>>> the client based on the client action strategy defined in >>>> evaluateClientActionStrategy. >>>> # It changes the >>>> success transition of initialLoginForm action-state to >>>> evaluateClientRequest >>>> cas.authn.spnego.spnegoMode=evaluateClient|direct >>>> # The following property is deprecated >>>> #cas.authn.spnego.hostNameClientActionStrategy= >>>> serviceNameSpnegoClientAction >>>> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction >>>> where CAS checks to see if the request?s remote hostname matches a >>>> predefine pattern >>>> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction >>>> where CAS checks an LDAP instance for the remote hostname, >>>> # >>>> to locate a pre-defined attribute whose mere existence would allow >>>> the webflow to resume to SPNEGO >>>> # >>>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction >>>> where CAS checks if the service corresponds to a regularExpression >>>> # defined in >>>> serviceNamePatternString and the ip corresponds to ipsToCheckPattern >>>> implemented >>>> # in baseSpnegoClientAction >>>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpn >>>> egoClientAction >>>> cas.authn.spnego.ipsToCheckPattern=((127\.0)|( >>>> 122.110))(\.[0-9]{1,3}){2} >>>> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\. >>>> domain\.ca) >>>> >>>> >>>> It works well for me. If you want it, I could send you the code. >>>> >>>> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit : >>>>> >>>>> Hi CAS Community, >>>>> >>>>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication >>>>> against our Active Directory. >>>>> >>>>> What we have noticed though is that non-domain joined computers see a >>>>> pop-up prompt for credentials when they visit the CAS login page. From my >>>>> reading, I believe we can fix this by configuring the LDAP Client >>>>> Selection >>>>> Strategy for SPNEGO, but the documentation for which properties need to be >>>>> configured seems to be a bit scarce. >>>>> >>>>> Can someone offer any guidance (or a link to some documentation) as to >>>>> which properties I need to configure to use the LDAP Client Selection >>>>> Strategy? >>>>> >>>>> Thanks, >>>>> Nicholas >>>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "CAS Community" group. >>>> To unsubscribe from this topic, visit https://groups.google.com/a/ >>>> apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe. >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/a/ >>>> apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18- >>>> 35cc3ee46a7c%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/a/ >>> apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU% >>> 3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit https://groups.google.com/a/ >> apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/CA%2Bg7XA%3DdcrpWp1uqxttB9kA4sqb2w% >> 2BHqysEcTsBeTg2Upmr6pg%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XA%3DdcrpWp1uqxttB9kA4sqb2w%2BHqysEcTsBeTg2Upmr6pg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CANjq9CgQNUpKKbtOY7rdQHtW- > rGLxajwPRUj-W5XrjrWkAAiYw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9CgQNUpKKbtOY7rdQHtW-rGLxajwPRUj-W5XrjrWkAAiYw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAmpO92GcfUF%3DZ81TA497%3DxzaYGABewiGV%2ByRy6hFJh2qg%40mail.gmail.com.
