Re: [cas-user] How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

Ray Bon Thu, 09 Dec 2021 09:44:25 -0800

Artur,

By default cas will try each of the authentication handlers until one succeeds, 
starting with the first one (0, 1, 2, ...).
I would expect that if you identify one by name, it should use that one.


Is the '3' a typo in your properties or do you have 4 authenticators?

cas.authn.ldap[1].name=rysy
...
cas.authn.ldap[3].name=ppm

Sorry I could not be more help.

Ray

On Thu, 2021-12-09 at 06:56 -0800, artur miś wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I think i'm  rewriting my last post i really appologize for that folks ,  mayby 
 with better guestion.Please folks don't kill me.


env:Cas-overlay  6.3.x
At the begining i would like ask you  how cas start examine   handlers ,  is it 
  random   or detretministic way from which  handler cas start  when the  user  
post  credential to cas ?

I  dont know if  i well understood.I understood  that is deterministic way  but 
 i cannot see this  ) i have sometimes everest  sometimes rysy  after restart 
cas )  , mayby order number  in handlers  if we put in cas.propierties  that do 
this . But for serwis  how to start  examine credential  from  which handler  
we want ? . The order in cas.propierties doesnt llook like well becouse for one 
service  you want have  one order ofr te secend service  another order  so it 
is stupid probably.

I  am asking about it  becouse   if  web user / or curl api client tests 
service ,
 cas  can start examine  from  one of  the  2  handlers i have,  sometimes from 
 first hander  sometimes from second handler ( after restart cas) . I  have had 
policy lik tryALL  = false/true .   If it started from everest_365  like bellow 
  and user has right in this handler (everest_365)


I believed  that tryALL doesnt  work  if  one handler didnt given  success    
of auth for user becouse of policy.I seem i works in difrent way.

[ configuration

cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false

"authenticationPolicy": {
        "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" ]],
        "criteria": {
            "tryAll": false,
            "@class": 
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
        },
        "@class": 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
    },
]
, i  this case  cas didn't try  to  examine other  handlers like rysy .,bcouse  
athentication is successed probably .  Could  anyboody confirm ? And how to 
avoid to get  deticated hander working while user has right in both handlers. 
Second  hndlerd  i would like to  use for other service.




I thing that trayALL=true/false doesnt matter. It is look like now work

For test purposes i have only 2 AD handlers : rysy ,everest_365, and 
user=kowalski.
Kowalski has right in rysy and everest_365  but  i would like to auth kowalski 
only via  rysy to service even if kowalski has right in everest_365


So How to force cas to start examination handler from rysy .I don't know even 
if it is possible nowaday .

  ____  _____    _    ______   __
 |  _ \| ____|  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V /
 |  _ <| |___ / ___ \| |_| || |
 |_| \_\_____/_/   \_\____/ |_|

>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <Ready to 
process requests @ [2021-12-09T12:29:06.575Z]>
2021-12-09 12:29:06,986 INFO [org.apereo.cas.services.AbstractServicesManager] 
- <Loaded [2] service(s) from [JsonServiceRegistry].>
2021-12-09 12:29:09,999 INFO 
[org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet 
'dispatcherServlet'>
2021-12-09 12:29:10,026 INFO 
[org.springframework.web.servlet.DispatcherServlet] - <Completed initialization 
in 27 ms>
2021-12-09 12:29:10,226 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Authentication credentials provided for this transaction are 
[[UsernamePasswordCredential(username=kowalski, source=null, customFields={})]]>
2021-12-09 12:29:10,229 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Candidate/Registered authentication handlers for this transaction are 
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
 org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, 
org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,229 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Authentication handler resolvers for this transaction are 
[[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,231 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Authentication handler resolvers produced no candidate authentication handler. 
Using the default handler resolver instead...>
2021-12-09 12:29:10,232 DEBUG 
[org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default 
authentication handlers used for this transaction are 
[HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]>
<---
Here i dont undersand why def handlers are both  everest and rysy ?
I have only rysy  for service in "requiredAuthenticationHandlers" : 
["java.util.TreeSet", [ "rysy" ]]

2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Resolved and finalized authentication handlers to carry out this 
authentication transaction are 
[[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Candidate 
resolved authentication handlers for this transaction are 
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
 org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, 
org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting 
to authenticate credential [UsernamePasswordCredential(username=kowalski, 
source=null, customFields={})]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does 
not support the credential type [UsernamePasswordCredential(username=kowalski, 
source=null, customFields={})]. Trying next...>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - <Examining credential [UsernamePasswordCredential(username=kowalski, 
source=null, customFields={})] eligibility for authentication handler 
[everest_365]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - <Credential [UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})] eligibility is [everest_365] for authentication handler 
[true]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting 
authentication of [kowalski] using [everest_365]>
2021-12-09 12:29:15,421 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - <Transforming credential username via 
[org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]>
2021-12-09 12:29:15,422 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - <Attempting to encode credential password via 
[org.springframework.security.crypto.password.NoOpPasswordEncoder] for 
[kowalski]>
2021-12-09 12:29:15,422 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - <Attempting authentication internally for transformed credential 
[UsernamePasswordCredential(username=kowalski, source=null, customFields={})]>
2021-12-09 12:29:15,422 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP 
authentication for [UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})]. Authenticator pre-configured attributes are [null], 
additional requested attributes for this authentication request are 
[[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]>


2021-12-09 12:29:15,785 DEBUG 
[org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory]
 - <Required authentication handlers for this service [Test] are [[rysy]]>



2021-12-09 14:13:06,703 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: https://example.org/pz
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: ******
SERVER IP ADDRESS: ******
=============================================================

>
2021-12-09 14:13:06,704 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException
ACTION: REST_API_SERVICE_TICKET_FAILED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: *****
SERVER IP ADDRESS: *****
=============================================================

>
2021-12-09 14:13:06,705 ERROR 
[org.apereo.cas.support.rest.resources.ServiceTicketResource] - 
<UnsatisfiedAuthenticationPolicyException>
org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null
        at 
org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184)
 ~[cas-server-core-6.3.2.jar!/:6.3.2]
        at 
org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109)
 ~[cas-server-core-6.3.2.jar!/:6.3.2]
        at 
org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>)
 ~[cas-server-core-6.3.2.jar!/:6.3.2]
        at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) 
~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)
 ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
 ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
etc
Regards.



--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c2cccf657f1791490198488e17aeb0eb8578a69.camel%40uvic.ca.

Re: [cas-user] How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

Reply via email to