Hi, I'm glad to see that you confirm the bug. I'll try to make a Pull Request, but I need to setup a full CAS dev env before.
Regards, Charles Le mercredi 23 mai 2018 18:59:17 UTC+2, Christian Poirier a écrit : > > I think I know what you mean by "is buggy". I check the code and it misses > something. The webflow is not configured correctly even if you configure to > use hostname filter and/or IP address filter. It just jumps directly to > SPNEGO negotiate transition. I corrected this with the changes I made to > the code. There was no way to choose to go directly to SPNEGO or evaluate > the client before starts SPNEGO. > > Christian Poirier > Mobile: 418-473-2824 > > 2018-05-23 1:58 GMT-04:00 Charles Le Gallic <[email protected] > <javascript:>>: > >> Ok thanks. Let me know if you can confirm that current native >> implementation is buggy. >> >> Regards, >> >> Charles >> >> <http://www.amoae.com/> >> 12, impasse du Malrigou, 31140 Montberon >> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >> [email protected] <javascript:> | 06 24 73 04 98 | *amoae.com* >> <http://amoae.com/> >> >> >> Le mer. 23 mai 2018 à 04:46, Christian Poirier <[email protected] >> <javascript:>> a écrit : >> >>> Hi Charles >>> >>> Yes I did, but with my own development and my properties. I will check >>> if I can implement with Client Access Strategy by implementing my own >>> SPNEGO Service Access Strategy >>> >>> Christian Poirier >>> Mobile: 418-473-2824 >>> >>> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic <[email protected] >>> <javascript:>>: >>> >>>> Hi Christian, >>>> >>>> Did you achieved to make IP based SPNEGO client selection works on CAS >>>> 5.x ? >>>> >>>> In that case, is there any other configuration to setup in addition to >>>> cas.properties configuration ? >>>> >>>> Regards, >>>> >>>> Charles >>>> >>>> <http://www.amoae.com/> >>>> 12, impasse du Malrigou, 31140 Montberon >>>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >>>> [email protected] <javascript:> | 06 24 73 04 98 | *amoae.com* >>>> <http://amoae.com/> >>>> >>>> >>>> Le ven. 18 mai 2018 à 14:14, Christian Poirier <[email protected] >>>> <javascript:>> a écrit : >>>> >>>>> Hi Charles >>>>> >>>>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. >>>>> The webflow logic is built in the code. >>>>> I will check if the implementation based on a >>>>> RegisteredServiceAccessStrategy is possible. >>>>> >>>>> Christian Poirier >>>>> Mobile: 418-473-2824 >>>>> >>>>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <[email protected] >>>>> <javascript:>>: >>>>> >>>>>> Hi Christian, >>>>>> >>>>>> Which version of CAS do you use ? >>>>>> >>>>>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML >>>>>> spring configurations). SPNEGO client selection strategy was working on >>>>>> 4.x >>>>>> version, but I cannot make it work after having upgrade to CAS 5.1.x.... >>>>>> >>>>>> Regards, >>>>>> >>>>>> Charles >>>>>> >>>>>> <http://www.amoae.com/> >>>>>> 12, impasse du Malrigou, 31140 Montberon >>>>>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >>>>>> [email protected] <javascript:> | 06 24 73 04 98 | *amoae.com* >>>>>> <http://amoae.com/> >>>>>> >>>>>> >>>>>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected] >>>>>> <javascript:>> a écrit : >>>>>> >>>>>>> Hi Nicolas, >>>>>>> >>>>>>> In our organization, we need to let the user choose between the >>>>>>> default login and SPNEGO upon a list of criteria and sometimes we need >>>>>>> to >>>>>>> go directly to the SPNEGO authentication upon other criteria. For this >>>>>>> feature, I extended the SPNEGO module. I show a button with the label >>>>>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular >>>>>>> expression. When the service matches a regular expression and the IP >>>>>>> address also matches its regular expression, I force SPNEGO >>>>>>> authentication >>>>>>> without giving the user the chance to authenticate otherwise. If none >>>>>>> of >>>>>>> the previous conditions are present, then the user must authenticate >>>>>>> normally with his user ID and password. >>>>>>> If you look the following webflow, you will find this logic inside. >>>>>>> >>>>>>> <var name="credentials" class= >>>>>>> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" >>>>>>> /> >>>>>>> >>>>>>> <on-start> >>>>>>> >>>>>>> <evaluate expression="initialFlowSetupAction" /> >>>>>>> >>>>>>> <set name="flowScope.displaySPNegoButton" value="false" /> >>>>>>> >>>>>>> </on-start> >>>>>>> >>>>>>> >>>>>>> <decision-state id="ticketGrantingTicketExistsCheck"> >>>>>>> >>>>>>> <if test="flowScope.ticketGrantingTicketId neq null" then= >>>>>>> "hasServiceCheck" else="gatewayRequestCheck" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <decision-state id="gatewayRequestCheck"> >>>>>>> >>>>>>> <if test="externalContext.requestParameterMap['gateway'] neq >>>>>>> '' && externalContext.requestParameterMap['gateway'] neq null >>>>>>> && flowScope.service neq null" then= >>>>>>> "gatewayServicesManagementCheck" else="startAuthenticateCheck" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <decision-state id="hasServiceCheck"> >>>>>>> >>>>>>> <if test="flowScope.service != null" then="renewRequestCheck" else >>>>>>> ="viewGenericLoginSuccess" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <decision-state id="renewRequestCheck"> >>>>>>> >>>>>>> <if test="externalContext.requestParameterMap['renew'] neq '' >>>>>>> && externalContext.requestParameterMap['renew'] neq null" >>>>>>> then="startAuthenticateCheck" else="generateServiceTicket" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <!-- >>>>>>> >>>>>>> The "warn" action makes the determination of whether to redirect >>>>>>> directly to the requested >>>>>>> >>>>>>> service or display the "confirmation" page to go back to the >>>>>>> server. >>>>>>> >>>>>>> --> >>>>>>> >>>>>>> <decision-state id="warn"> >>>>>>> >>>>>>> <if test="flowScope.warnCookieValue" then="showWarningView" >>>>>>> else="redirect" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <!-- >>>>>>> >>>>>>> <action-state id="startAuthenticate"> >>>>>>> >>>>>>> <action bean="x509Check" /> >>>>>>> >>>>>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>>>>> >>>>>>> <transition on="warn" to="warn" /> >>>>>>> >>>>>>> <transition on="error" to="generateLoginTicket" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> --> >>>>>>> >>>>>>> <decision-state id="startAuthenticateCheck"> >>>>>>> >>>>>>> <if test="externalContext.requestParameterMap['spnego'] neq >>>>>>> '' && externalContext.requestParameterMap['spnego'] neq null >>>>>>> && externalContext.requestParameterMap['spnego'] eq 'off'" >>>>>>> then="generateLoginTicket" else="spnegoForceCheckAction" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <decision-state id="spnegoForceCheckAction"> >>>>>>> >>>>>>> <if test="externalContext.requestParameterMap['forcespnego'] neq >>>>>>> '' && externalContext.requestParameterMap['forcespnego'] neq >>>>>>> null >>>>>>> && externalContext.requestParameterMap['forcespnego'] eq >>>>>>> 'true'" >>>>>>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> >>>>>>> >>>>>>> </decision-state> >>>>>>> >>>>>>> >>>>>>> <action-state id="spnegoAppCheckAction"> >>>>>>> >>>>>>> <evaluate expression="spNegoAppCheck" /> >>>>>>> >>>>>>> <transition on="yes" to="spnegoIPCheckAction2" /> >>>>>>> >>>>>>> <transition on="no" to="spnegoIPCheckAction" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> >>>>>>> <action-state id="spnegoIPCheckAction"> >>>>>>> >>>>>>> <evaluate expression="spNegoIPCheck" /> >>>>>>> >>>>>>> <transition on="yes" to="generateLoginTicket" > >>>>>>> >>>>>>> <set name="flowScope.displaySPNegoButton" value="true" /> >>>>>>> >>>>>>> >>>>>>> </transition> >>>>>>> >>>>>>> <transition on="no" to="generateLoginTicket" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> >>>>>>> <action-state id="spnegoIPCheckAction2"> >>>>>>> >>>>>>> <evaluate expression="spNegoIPCheck" /> >>>>>>> >>>>>>> <transition on="yes" to="startAuthenticate" /> >>>>>>> >>>>>>> <transition on="no" to="generateLoginTicket" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> >>>>>>> <action-state id="startAuthenticate"> >>>>>>> >>>>>>> <evaluate expression="negociateSpnego" /> >>>>>>> >>>>>>> <transition on="success" to="spnego" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> >>>>>>> <action-state id="spnego"> >>>>>>> >>>>>>> <evaluate expression="spnego" /> >>>>>>> >>>>>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>>>>> >>>>>>> <transition on="error" to="generateLoginTicket" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> >>>>>>> <action-state id="generateLoginTicket"> >>>>>>> >>>>>>> <evaluate expression= >>>>>>> "generateLoginTicketAction.generate(flowRequestContext)" /> >>>>>>> >>>>>>> <transition on="success" to="viewLoginForm" /> >>>>>>> >>>>>>> </action-state> >>>>>>> >>>>>>> >>>>>>> Here are my new spnego.properties >>>>>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to >>>>>>> the SPNEGO by changing the succes transition of initialLoginForm >>>>>>> action-state >>>>>>> to startSpnegoAuthenticate >>>>>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate >>>>>>> the client based on the client action strategy defined in >>>>>>> evaluateClientActionStrategy. >>>>>>> >>>>>>> # It changes the >>>>>>> success transition of initialLoginForm action-state to >>>>>>> evaluateClientRequest >>>>>>> cas.authn. >>>>>>> >>>>>> ... >> >> [Message tronqué] > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f261cfb-1933-43f9-ad8a-c7995e91eec3%40apereo.org.
