Hi Daniel, thanks for your response. I spent a lot of time looking at those. And although it's likely that we will ultimately need to write our own policy or authentication handler, I was wanting to play with the existing ones to see if we could do anything interesting with them.
But I was having difficulty getting them actually enabled with the configuration file lines as described in the documentation. Running at TRACE level in the authentication code, I was always seeing the "any" policy getting run, and the "notPrevented" if it was enabled, but I never saw any of the others getting executed, even if enabled. And the "any" policy seems to run even if you explicitly set "cas.authn.policy.any.enabled=false", which just seems wrong to me. At the end of the day it may not matter as I don't think the existing things will do what we want, but I haven't seen anything in the forum at all about this stuff except one other unanswered question, so I was wondering if there was anyone out there using it successfully. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] On Wed, Jan 16, 2019 at 5:53 PM Daniel Ellentuck <[email protected]> wrote: > Hi David, > > Take a look at: the authentication policy configuration in > cas-server-core-authentication: > org.apereo.cas.config.CasCoreAuthenticationPolicyCon > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > figuration > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > and the actual authentication policies in > cas-server-core-authentication-api: > org.apereo.cas.authentication.policy > <https://github.com/apereo/cas/tree/master/core/cas-server-core-authentication-api/src/main/java/org/apereo/cas/authentication/policy> > and ensure you're clear on what the policies do. If you have a truly custom > case, you may have to implement your own authentication policy and add it > via the AuthenticationEventExecutionPlanConfigurer. If not, could you > describe what behavior you'd like to see and what you've done to effect it? > > (I'm referring to CAS v.5.3.7.) > .... > > Dan > > > On Wed, Jan 16, 2019 at 3:23 PM <[email protected]> wrote: > >> >> Has anyone figured out how to make Authentication Policies, as documented >> here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuring-Authentication-Components.html#authentication-policy >> >> >> and here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#authentication-policy >> >> >> actually work? I've been messing around with it for an entire day now, >> and it seems to me that: >> >> 1. You cannot DISABLE the "any" policy; you can only enable/disable >> the "tryAll" option >> 2. You CAN enable the "notPrevented" policy, but you have no way to >> control what it considers "Prevented" >> 3. You CANNOT enable the "all" or "allHandlers" policies >> >> We're running CAS 5.2.7, but I'll take answers for any version, at this >> point. >> >> Thanks, >> --Dave >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > On Wed, Jan 16, 2019 at 5:53 PM Daniel Ellentuck <[email protected]> wrote: > Hi David, > > Take a look at: the authentication policy configuration in > cas-server-core-authentication: > org.apereo.cas.config.CasCoreAuthenticationPolicyCon > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > figuration > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > and the actual authentication policies in > cas-server-core-authentication-api: > org.apereo.cas.authentication.policy > <https://github.com/apereo/cas/tree/master/core/cas-server-core-authentication-api/src/main/java/org/apereo/cas/authentication/policy> > and ensure you're clear on what the policies do. If you have a truly custom > case, you may have to implement your own authentication policy and add it > via the AuthenticationEventExecutionPlanConfigurer. If not, could you > describe what behavior you'd like to see and what you've done to effect it? > > (I'm referring to CAS v.5.3.7.) > .... > > Dan > > > On Wed, Jan 16, 2019 at 3:23 PM <[email protected]> wrote: > >> >> Has anyone figured out how to make Authentication Policies, as documented >> here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuring-Authentication-Components.html#authentication-policy >> >> >> and here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#authentication-policy >> >> >> actually work? I've been messing around with it for an entire day now, >> and it seems to me that: >> >> 1. You cannot DISABLE the "any" policy; you can only enable/disable >> the "tryAll" option >> 2. You CAN enable the "notPrevented" policy, but you have no way to >> control what it considers "Prevented" >> 3. You CANNOT enable the "all" or "allHandlers" policies >> >> We're running CAS 5.2.7, but I'll take answers for any version, at this >> point. >> >> Thanks, >> --Dave >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMf04A1veEH3V45qd7FiYiuaQubjRiQAXOvXHsLNpEM9w%40mail.gmail.com.
