Hi Kostas,
thanks for sharing your findings, it does seem like a bug. For me, even
just *removing* the *"@ConditionalOnBean..."* line worked as well (done in
a custom config class though).
It looks like that the aforementioned line is redundant, because the bean
referenced by the annotation is used conditionally via Spring's *ObjectProvider
*anyway - by calling *"authenticationThrottlingExecutionPlan.ifAvailable(plan
-> { ..."* on the provider instance.
Regards
Petr
On Monday 22 January 2024 at 15:09:22 UTC+1 Kostas Kalevras wrote:
> Just an update. Replacing
> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L129C5-L129C23>
>
> @ConditionalOnBean with @DependsOn in order to make sure that the REST
> protocol is initialized *after* Authentication Throttling seems to fix
> things. So I guess there actually is a race condition with REST being
> initialzed before throttling.
>
> Not sure if there's any other way to initialize beans with a specific
> order without code changes.
>
> Στις Πέμπτη 18 Ιανουαρίου 2024 στις 4:34:32 π.μ. UTC+2, ο χρήστης Kostas
> Kalevras έγραψε:
>
>> Hello all
>>
>> Using CAS 6.6.15 in a Docker setup with LDAP user repository.
>>
>> CAS/SAML/OIDC authentication works with no problem. Throttling CAS auth
>> requests also works without a problem.
>>
>> The relevant throtlling configuration in cas.properties is as follows:
>>
>> # Failure Throttling
>> cas.authn.throttle.failure.threshold=1
>> cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
>> cas.authn.throttle.failure.range-seconds=30
>> cas.authn.throttle.core.username-parameter=username
>>
>> We have enabled REST Authentication which works without a problem:
>>
>> /# curl -sk https://sso-server:8443/cas/v1/users -d
>> 'username=test&password=test'|jq .authentication.credentials
>> [
>> {
>> "@class":
>> "org.apereo.cas.authentication.metadata.BasicCredentialMetaData",
>> "id": "test",
>> "credentialClass":
>> "org.apereo.cas.authentication.credential.UsernamePasswordCredential"
>> }
>> ]
>>
>> REST and throttling implementation in build.gradle:
>>
>> implementation "org.apereo.cas:cas-server-support-throttle"
>> implementation "org.apereo.cas:cas-server-support-rest"
>>
>> Yet no matter how we try, throttling REST auth requests does not work.
>> Looking at the relevant code
>> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L127>,
>>
>> I see that throttling is implemented. Nevertheless, the debug line
>> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L143>
>>
>> about "Activating authentication throttling for REST endpoints..." does not
>> seem to be called.
>>
>> My fear is for a race condition where REST is initialized before
>> throttling and the check
>> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L129>
>>
>> for the relevant bean fails.
>>
>> Any help would be appreciated.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/efa24103-8b02-40fa-aa6b-f7ef1b6f4460n%40apereo.org.
