I think i'm rewriting my last post i really appologize for that folks ,
mayby with better guestion.Please folks don't kill me.
env:Cas-overlay 6.3.x
At the begining i would like ask you how cas start examine handlers ,
is it random or detretministic way from which handler cas start when
the user post credential to cas ?
I dont know if i well understood.I understood that is deterministic way
but i cannot see this ) i have sometimes everest sometimes rysy after
restart cas ) , mayby order number in handlers if we put in
cas.propierties that do this . But for serwis how to start examine
credential from which handler we want ? . The order in cas.propierties
doesnt llook like well becouse for one service you want have one order
ofr te secend service another order so it is stupid probably.
I am asking about it becouse if web user / or curl api client tests
service ,
cas can start examine from one of the 2 handlers i have, sometimes
from first hander sometimes from second handler ( after restart cas) . I
have had policy lik tryALL = false/true . If it started from
everest_365 like bellow and user has right in this handler (everest_365)
I believed that tryALL doesnt work if one handler didnt given success
of auth for user becouse of policy.I seem i works in difrent way.
[ configuration
cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false
"authenticationPolicy": {
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy"
]],
"criteria": {
"tryAll": false,
"@class":
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
},
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
},
]
, i this case cas didn't try to examine other handlers like rysy
.,bcouse athentication is successed probably . Could anyboody confirm ?
And how to avoid to get deticated hander working while user has right in
both handlers. Second hndlerd i would like to use for other service.
I thing that trayALL=true/false doesnt matter. It is look like now work
For test purposes i have only 2 AD handlers : rysy ,everest_365, and
user=kowalski.
Kowalski has right in rysy and everest_365 but i would like to auth
kowalski only via rysy to service even if kowalski has right in everest_365
So How to force cas to start examination handler from rysy .I don't know
even if it is possible nowaday .
____ _____ _ ______ __
| _ \| ____| / \ | _ \ \ / /
| |_) | _| / _ \ | | | \ V /
| _ <| |___ / ___ \| |_| || |
|_| \_\_____/_/ \_\____/ |_|
>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] -
<Ready to process requests @ [2021-12-09T12:29:06.575Z]>
2021-12-09 12:29:06,986 INFO
[org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s)
from [JsonServiceRegistry].>
2021-12-09 12:29:09,999 INFO
[org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet
'dispatcherServlet'>
2021-12-09 12:29:10,026 INFO
[org.springframework.web.servlet.DispatcherServlet] - <Completed
initialization in 27 ms>
2021-12-09 12:29:10,226 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication credentials provided for this transaction are
[[UsernamePasswordCredential(username=kowalski, source=null,
customFields={})]]>
2021-12-09 12:29:10,229 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] -
<Candidate/Registered authentication handlers for this transaction are
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80,
org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,229 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] -
<Authentication handler resolvers for this transaction are
[[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,231 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] -
<Authentication handler resolvers produced no candidate authentication
handler. Using the default handler resolver instead...>
2021-12-09 12:29:10,232 DEBUG
[org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default
authentication handlers used for this transaction are
[HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]>
<---
Here i dont undersand why def handlers are both everest and rysy ?
I have only rysy for service in "requiredAuthenticationHandlers" :
["java.util.TreeSet", [ "rysy" ]]
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] -
<Resolved and finalized authentication handlers to carry out this
authentication transaction are
[[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Candidate resolved authentication handlers for this transaction are
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80,
org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting to authenticate credential
[UsernamePasswordCredential(username=kowalski, source=null,
customFields={})]>
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler]
does not support the credential type
[UsernamePasswordCredential(username=kowalski, source=null,
customFields={})]. Trying next...>
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Examining credential [UsernamePasswordCredential(username=kowalski,
source=null, customFields={})] eligibility for authentication handler
[everest_365]>
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Credential [UsernamePasswordCredential(username=kowalski, source=null,
customFields={})] eligibility is [everest_365] for authentication handler
[true]>
2021-12-09 12:29:10,233 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting authentication of [kowalski] using [everest_365]>
2021-12-09 12:29:15,421 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Transforming credential username via
[org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]>
2021-12-09 12:29:15,422 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Attempting to encode credential password via
[org.springframework.security.crypto.password.NoOpPasswordEncoder] for
[kowalski]>
2021-12-09 12:29:15,422 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Attempting authentication internally for transformed credential
[UsernamePasswordCredential(username=kowalski, source=null,
customFields={})]>
2021-12-09 12:29:15,422 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting
LDAP authentication for [UsernamePasswordCredential(username=kowalski,
source=null, customFields={})]. Authenticator pre-configured attributes are
[null], additional requested attributes for this authentication request are
[[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]>
2021-12-09 12:29:15,785 DEBUG
[org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory]
- <Required authentication handlers for this service [Test] are [[rysy]]>
2021-12-09 14:13:06,703 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: https://example.org/pz
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: ******
SERVER IP ADDRESS: ******
=============================================================
>
2021-12-09 14:13:06,704 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException
ACTION: REST_API_SERVICE_TICKET_FAILED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: *****
SERVER IP ADDRESS: *****
=============================================================
>
2021-12-09 14:13:06,705 ERROR
[org.apereo.cas.support.rest.resources.ServiceTicketResource] -
<UnsatisfiedAuthenticationPolicyException>
org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null
at
org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184)
~[cas-server-core-6.3.2.jar!/:6.3.2]
at
org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109)
~[cas-server-core-6.3.2.jar!/:6.3.2]
at
org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>)
~[cas-server-core-6.3.2.jar!/:6.3.2]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
etc
Regards.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b557c47-d285-497e-9973-c4df24e40246n%40apereo.org.
