Hi all, it seems that in CAS 6.x (tested against latest 6.0.x and 6.1.0-RC4 tree), adaptive mfa flow is triggered also during the ticket validation process. As a consequence, when checking if agent matches the allowed pattern, ticket validation fails with the following NPE, as agent is null
2019-05-27 10:07:42,181 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <null> [2019-05-27 10:07:42] [info] java.lang.NullPointerException: null[2019-05-27 10:07:42] [info] at org.apereo.cas.authentication.trigger.AdaptiveMultifactorAuthenticationTrigger.checkUserAgentOrClientIp(AdaptiveMultifactorAuthenticationTrigger.java:99) ~[cas-server-core-authentication-mfa-api-6.1.0-RC4-SNAPSHOT.jar:6.1.0-RC4-SNAPSHOT][2019-05-27 10:07:42] [info] at org.apereo.cas.authentication.trigger.AdaptiveMultifactorAuthenticationTrigger.isActivated(AdaptiveMultifactorAuthenticationTrigger.java:87) ~[cas-server-core-authentication-mfa-api-6.1.0-RC4-SNAPSHOT.jar:6.1.0-RC4-SNAPSHOT] … By checking if agent is null before calling checkUserAgentOrClientIp (or before checking if agent matches the allowed pattern), the NPE goes away and ticket validation succeeds. However, IMHO, I think that the adaptive mfa flow shouldn’t be triggered at all when accessing ticketing validation endpoints… Any thoughts? Thanks in advance, Pavlos -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg1ub4nCx3tu%3DoF%2B7_X0X-j%2BEo3e8gamQbD2gqhq6GKYKA%40mail.gmail.com.
