Hi,
I'm using CAS 5.0.x with oauth, x509 and LDAP support.
Some services needs to use x509 authn only. While others can use both x509
and LDAP.
I tried to to configure some services to use x509 only with the
requiredHandlers field, but had no success. CAS always displays the login
page, asking for login+password (and also asks for x509 if i have a plugged
in smart card). The problem is that login/password field shouldnt be
displayed for those services if x509 auth fails.
I have also tried to change the registry for oauth callback url to use
those required handlers with no success.
Registry examples:
*// APP-A: should work with login/pass or x509 auth*
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "http://localhost/application-A";,
"name": "*APP-A*",
"id": -2141454336,
"description": "APP-A",
"evaluationOrder": 1,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"accessStrategy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
},
"clientSecret": "APP-A",
"clientId": "APP-A",
"bypassApprovalPrompt": false,
"generateRefreshToken": true,
"jsonFormat": false
}
*// APP-B: should work with x509 auth only*
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "http://localhost/application-B";,
"name": "APP-B",
"id": -2141454336,
"description": "APP-B",
"evaluationOrder": 1,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"accessStrategy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
},
"clientSecret": "APP-B",
"clientId": "APP-B",
"bypassApprovalPrompt": false,
"generateRefreshToken": true,
"jsonFormat": false,
* "requiredHandlers": [ "java.util.HashSet", [
"X509CredentialsAuthenticationHandler" ] ]*
}
*// oauth callback: tried requiredHandlers and without it*
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId":
"^https?://(localhost|127\\.0\\.0\\.1)(:\\d+)?/cas/idp/profile/SAML2/POST/SSO/Callback.+",
"name": "CAS-LOCAL-SAML-WRAPPER-CALLBACK-URL",
"id": 1298371932,
"description": "Registro para o CAS-LOCAL-SAML-WRAPPER-CALLBACK-URL",
"evaluationOrder": 0,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository": {
"@class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"multifactorPolicy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"failureMode": "CLOSED"
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
}
*,"requiredHandlers":
["java.util.HashSet",["X509CredentialsAuthenticationHandler"]]*
}
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7857832a-a1d6-4a5d-8997-7f071b1a9130%40apereo.org.
