Hi Misagh Thank you for your reply.
I do not understand. What is then the value of the "requiredHandlers" attribute in the service json file? In my case, if I define the requiredHandler as "hfcAuthenticationHandler*2*" which during authentication throws an AuthenticationException (login failed), but my other AuthenticationHandler "hfcAuthenticationHandler" returns success, the CAS Client user will be anyway logged in. What is then the sense of defining the requiredHandlers on the service itself? And how the requiredHandlers attribute cooperates with my RequiredHandlerAuthenticationPolicy defined in deployerConfigContext.xml which determinates, that "hfcAuthenticationHandler" is my required Handler for (as I understand) *direct login on CAS server without any CAS Client.* Thanks in advance Artur Am Dienstag, 1. Dezember 2015 19:53:56 UTC+1 schrieb Misagh Moayyed: > > I don’t think that actually works the way you describe. You are telling > CAS that the only way an authentication event can success is if handler X > succeeds. In your case, it never does. > > If your use case is, “I only want this handler to run for this service, > and that handler for that service”, then that does not exist in CAS yet. > It’s on the roadmap. > > https://wiki.jasig.org/display/CAS/CAS+4.3+Roadmap#CAS4.3Roadmap-AuthenticationPerService > > > - Misagh > > On Dec 1, 2015, at 9:43 AM, Artur Stöcklin <[email protected] > <javascript:>> wrote: > > hello community > > I currently fight with the following problem: > > 1. in classpath:/services/service1.json I put the following file: > > { > "@class" : "org.jasig.cas.services.RegexRegisteredService", > "serviceId" : "^(http|https)://localhost.*", > "description" : "cool service", > "name" : "coolService", > "id" : 1, > "theme" : "testtheme", > "logoutType" : "BACK_CHANNEL", > "evaluationOrder" : 1, > "accessStrategy" : { > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", > "enabled" : true, > "ssoEnabled" : true > }, > "requiredHandlers" : [ "java.util.HashSet", [ > "hfcAuthenticationHandler2" ] ] > > } > > CAS reads the file and creates the associated service. I can see the > service in the JsonServiceRegistryDao. There is also the > "hfcAuthenticationHandler2" name in the Set of given requiredHandlers. > > > 2. The deployerConfigContext.xml file looks like this one: > > <bean id="authenticationManager" class= > "org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> > <constructor-arg> > <map> > <!-- > | IMPORTANT > | Every handler requires a unique name. > | If more than one instance of the same handler class is > configured, you must explicitly > | set its name to something other than its default name > (typically the simple class name). > --> > <entry key-ref="proxyAuthenticationHandler" value-ref= > "proxyPrincipalResolver" /> > <!-- <entry key-ref="primaryAuthenticationHandler" > value-ref="primaryPrincipalResolver" /> --> > > <entry key-ref="hfcAuthenticationHandler" value-ref= > "primaryPrincipalResolver" /> > <entry key-ref="hfcAuthenticationHandler2" value-ref= > "primaryPrincipalResolver" /> > </map> > </constructor-arg> > > <!-- Uncomment the metadata populator to capture the password. > <property name="authenticationMetaDataPopulators"> > <util:list> > <bean > class="org.jasig.cas.authentication.CacheCredentialsMetaDataPopulator"/> > </util:list> > </property> > --> > > <!-- > | Defines the security policy around authentication. Some > alternative policies that ship with CAS: > | > | * NotPreventedAuthenticationPolicy - all credential must > either pass or fail authentication > | * AllAuthenticationPolicy - all presented credential must be > authenticated successfully > | * RequiredHandlerAuthenticationPolicy - specifies a handler > that must authenticate its credential to pass > --> > <property name="authenticationPolicy"> > <bean class= > "org.jasig.cas.authentication.RequiredHandlerAuthenticationPolicy" > c:requiredHandlerName="hfcAuthenticationHandler" > p:tryAll="false"/> > </property> > > <!-- > <property name="authenticationPolicy"> > <bean > class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> > </property> > --> > </bean> > <bean id="hfcAuthenticationHandler" > class="ch.cas.authentication.handler.HFCAuthenticationHandler" > p:name="hfcAuthenticationHandler"> > </bean> > > <bean id="hfcAuthenticationHandler2" > class="ch.cas.authentication.handler.HFCAuthenticationHandler2" > p:name="hfcAuthenticationHandler2"> > </bean> > > <bean id="serviceRegistryDao" class= > "org.jasig.cas.services.JsonServiceRegistryDao" > c:configDirectory="${service.registry.config.location}" /> > > When I request the CAS Login page with a CAS client (webapp) which uses > the defined CAS Service (Point 1) the required Handler > (hfcAuthenticationHandler2) is called and returns "success". But CAS still > returns "bad credentials" because the "hfcAuthenticationHandler" defined in > the authenticationPolicy returns "failed". > > When I read the documentation ( > http://jasig.github.io/cas/4.1.x/installation/Service-Management.html) I > understand that with the requiredHandlers parameter in the service json > file I can define which handler should return "success" for the given > service. If the defined service handler returns "success" the user should > be logged in. Only when I change the authenticationPolicy to " > c:requiredHandlerName="hfcAuthenticationHandler2" the service login > successes. > > How should I define the requiredHandlers in the json file if I want to > specify the hfcAuthenticationHandler2 for my service which should return > "success" independet from any other AuthenticationHandler defined in > deployerConfigContext.xml which also can return "success"? > I want only the one handler be triggered if the defined CAS client > requests the CAS service from json. > > Thanks in advance > > Artur > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > Visit this group at http://groups.google.com/a/apereo.org/group/cas-user/. > > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at http://groups.google.com/a/apereo.org/group/cas-user/.
