I think I know what you mean by "is buggy". I check the code and it misses something. The webflow is not configured correctly even if you configure to use hostname filter and/or IP address filter. It just jumps directly to SPNEGO negotiate transition. I corrected this with the changes I made to the code. There was no way to choose to go directly to SPNEGO or evaluate the client before starts SPNEGO.
Christian Poirier Mobile: 418-473-2824 2018-05-23 1:58 GMT-04:00 Charles Le Gallic <[email protected]>: > Ok thanks. Let me know if you can confirm that current native > implementation is buggy. > > Regards, > > Charles > > <http://www.amoae.com/> > 12, impasse du Malrigou, 31140 Montberon > <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> > [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> > > > Le mer. 23 mai 2018 à 04:46, Christian Poirier <[email protected]> a > écrit : > >> Hi Charles >> >> Yes I did, but with my own development and my properties. I will check if >> I can implement with Client Access Strategy by implementing my own SPNEGO >> Service Access Strategy >> >> Christian Poirier >> Mobile: 418-473-2824 >> >> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic <[email protected]>: >> >>> Hi Christian, >>> >>> Did you achieved to make IP based SPNEGO client selection works on CAS >>> 5.x ? >>> >>> In that case, is there any other configuration to setup in addition to >>> cas.properties configuration ? >>> >>> Regards, >>> >>> Charles >>> >>> <http://www.amoae.com/> >>> 12, impasse du Malrigou, 31140 Montberon >>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >>> [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> >>> >>> >>> Le ven. 18 mai 2018 à 14:14, Christian Poirier <[email protected]> a >>> écrit : >>> >>>> Hi Charles >>>> >>>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. >>>> The webflow logic is built in the code. >>>> I will check if the implementation based on a >>>> RegisteredServiceAccessStrategy is possible. >>>> >>>> Christian Poirier >>>> Mobile: 418-473-2824 >>>> >>>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <[email protected]>: >>>> >>>>> Hi Christian, >>>>> >>>>> Which version of CAS do you use ? >>>>> >>>>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML >>>>> spring configurations). SPNEGO client selection strategy was working on >>>>> 4.x >>>>> version, but I cannot make it work after having upgrade to CAS 5.1.x.... >>>>> >>>>> Regards, >>>>> >>>>> Charles >>>>> >>>>> <http://www.amoae.com/> >>>>> 12, impasse du Malrigou, 31140 Montberon >>>>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >>>>> [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> >>>>> >>>>> >>>>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected]> >>>>> a écrit : >>>>> >>>>>> Hi Nicolas, >>>>>> >>>>>> In our organization, we need to let the user choose between the >>>>>> default login and SPNEGO upon a list of criteria and sometimes we need to >>>>>> go directly to the SPNEGO authentication upon other criteria. For this >>>>>> feature, I extended the SPNEGO module. I show a button with the label >>>>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular >>>>>> expression. When the service matches a regular expression and the IP >>>>>> address also matches its regular expression, I force SPNEGO >>>>>> authentication >>>>>> without giving the user the chance to authenticate otherwise. If none of >>>>>> the previous conditions are present, then the user must authenticate >>>>>> normally with his user ID and password. >>>>>> If you look the following webflow, you will find this logic inside. >>>>>> >>>>>> <var name="credentials" class="org.jasig.cas. >>>>>> authentication.principal.UsernamePasswordCredentials" /> >>>>>> >>>>>> <on-start> >>>>>> >>>>>> <evaluate expression="initialFlowSetupAction" /> >>>>>> >>>>>> <set name="flowScope.displaySPNegoButton" value="false" /> >>>>>> >>>>>> </on-start> >>>>>> >>>>>> >>>>>> <decision-state id="ticketGrantingTicketExistsCheck"> >>>>>> >>>>>> <if test="flowScope.ticketGrantingTicketId neq null" then= >>>>>> "hasServiceCheck" else="gatewayRequestCheck" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <decision-state id="gatewayRequestCheck"> >>>>>> >>>>>> <if test="externalContext.requestParameterMap['gateway'] neq >>>>>> '' && externalContext.requestParameterMap['gateway'] neq >>>>>> null && flowScope.service neq null" then=" >>>>>> gatewayServicesManagementCheck" else="startAuthenticateCheck" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <decision-state id="hasServiceCheck"> >>>>>> >>>>>> <if test="flowScope.service != null" then="renewRequestCheck" else= >>>>>> "viewGenericLoginSuccess" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <decision-state id="renewRequestCheck"> >>>>>> >>>>>> <if test="externalContext.requestParameterMap['renew'] neq '' >>>>>> && externalContext.requestParameterMap['renew'] neq null" >>>>>> then="startAuthenticateCheck" else="generateServiceTicket" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <!-- >>>>>> >>>>>> The "warn" action makes the determination of whether to redirect >>>>>> directly to the requested >>>>>> >>>>>> service or display the "confirmation" page to go back to the >>>>>> server. >>>>>> >>>>>> --> >>>>>> >>>>>> <decision-state id="warn"> >>>>>> >>>>>> <if test="flowScope.warnCookieValue" then="showWarningView" >>>>>> else="redirect" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <!-- >>>>>> >>>>>> <action-state id="startAuthenticate"> >>>>>> >>>>>> <action bean="x509Check" /> >>>>>> >>>>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>>>> >>>>>> <transition on="warn" to="warn" /> >>>>>> >>>>>> <transition on="error" to="generateLoginTicket" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> --> >>>>>> >>>>>> <decision-state id="startAuthenticateCheck"> >>>>>> >>>>>> <if test="externalContext.requestParameterMap['spnego'] neq '' >>>>>> && externalContext.requestParameterMap['spnego'] neq null >>>>>> && externalContext.requestParameterMap['spnego'] eq 'off'" >>>>>> then="generateLoginTicket" else="spnegoForceCheckAction" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <decision-state id="spnegoForceCheckAction"> >>>>>> >>>>>> <if test="externalContext.requestParameterMap['forcespnego'] neq >>>>>> '' && externalContext.requestParameterMap['forcespnego'] neq >>>>>> null && externalContext.requestParameterMap['forcespnego'] >>>>>> eq 'true'" then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> >>>>>> >>>>>> </decision-state> >>>>>> >>>>>> >>>>>> <action-state id="spnegoAppCheckAction"> >>>>>> >>>>>> <evaluate expression="spNegoAppCheck" /> >>>>>> >>>>>> <transition on="yes" to="spnegoIPCheckAction2" /> >>>>>> >>>>>> <transition on="no" to="spnegoIPCheckAction" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> >>>>>> <action-state id="spnegoIPCheckAction"> >>>>>> >>>>>> <evaluate expression="spNegoIPCheck" /> >>>>>> >>>>>> <transition on="yes" to="generateLoginTicket" > >>>>>> >>>>>> <set name="flowScope.displaySPNegoButton" value="true" /> >>>>>> >>>>>> >>>>>> </transition> >>>>>> >>>>>> <transition on="no" to="generateLoginTicket" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> >>>>>> <action-state id="spnegoIPCheckAction2"> >>>>>> >>>>>> <evaluate expression="spNegoIPCheck" /> >>>>>> >>>>>> <transition on="yes" to="startAuthenticate" /> >>>>>> >>>>>> <transition on="no" to="generateLoginTicket" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> >>>>>> <action-state id="startAuthenticate"> >>>>>> >>>>>> <evaluate expression="negociateSpnego" /> >>>>>> >>>>>> <transition on="success" to="spnego" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> >>>>>> <action-state id="spnego"> >>>>>> >>>>>> <evaluate expression="spnego" /> >>>>>> >>>>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>>>> >>>>>> <transition on="error" to="generateLoginTicket" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> >>>>>> <action-state id="generateLoginTicket"> >>>>>> >>>>>> <evaluate expression="generateLoginTicketAction. >>>>>> generate(flowRequestContext)" /> >>>>>> >>>>>> <transition on="success" to="viewLoginForm" /> >>>>>> >>>>>> </action-state> >>>>>> >>>>>> >>>>>> Here are my new spnego.properties >>>>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to >>>>>> the SPNEGO by changing the succes transition of initialLoginForm >>>>>> action-state >>>>>> to startSpnegoAuthenticate >>>>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate >>>>>> the client based on the client action strategy defined in >>>>>> evaluateClientActionStrategy. >>>>>> # It changes the >>>>>> success transition of initialLoginForm action-state to >>>>>> evaluateClientRequest >>>>>> cas.authn. >>>>>> >>>>> ... > > [Message tronqué] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAmBi3qgz_wBPDaK%3D2KhGZ9WzMDbrXSby8Te9v7a7m-7WQ%40mail.gmail.com.
