Hi, I'm resuming on your latest message.
Yes, you do need a callback URL for your application. This is the doc you are looking for: https://apereo.github.io/cas/5.2.x/installation/Service-Management.html Every time you want an application to log in to the CAS server, the CAS server must know it. Thus the declaration of the CAS services and callback URLs. Thanks. Best regards, Jérôme On Thu, Apr 19, 2018 at 10:39 PM, Steve Hespelt <shesp...@gmail.com> wrote: > Well, I stumbled across a few config properties I decided to try > (desperate people do desperate things...) > > cas.http-web-request.cors.allow-credentials=true > # ? where are login requests coming from? Our webapp server name(s) > # is this needed to get the final redirect back to our app ?? > cas.http-web-request.cors.allow-origins=localhost > # ?? > cas.webflow.redirect-same-state=true > > Restarted CAS, same test case. > now I see this warning log: > 2018-04-19 15:47:48,430 WARN > [org.apereo.cas.web.flow.ServiceAuthorizationCheck] > - <Service Management: missing service. Service [https://localhost:8449/ > callback?client_name=CasClient] is not found in service registry.> > ^^^^ I have to have a Service defined for the call back to the initial app > ??? > > > 2018-04-19 15:47:48,432 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImpl] > - <Attempting to handle > [org.springframework.webflow.execution.ActionExecutionException: > Exception thrown executing org.apereo.cas.web.flow. > ServiceAuthorizationCheck@5fad865 in state 'serviceAuthorizationCheck' of > flow 'login' -- action execution attributes were 'map[[empty]]'] with root > cause [org.apereo.cas.services.UnauthorizedServiceException: Service > Management: missing service. Service [https://localhost:8449/ > callback?client_name=CasClient] is not found in service registry.]> > > Has anyone actually gotten delegated authentication to flow from CAS back > to an app that used the CAS protocol to request authentication to work? > using CAS 5.2.x ? Reading tons of CAS docs have provided no magic beans, > nor did any page mention having to have a call back service defined... > Am I frustrated? You bet. > Is it correct for me to assume that this use case is 'typical' and that > being tyhttps://apereo.github.io/cas/5.2.x/installation/ > Webflow-Customization.htmlpical, the default webflow definitions in CAS > 5.2.2 ought to provide for it working? The docs at > https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html > certainly suggest to me that's the case. > Sure would like to make use of many of the positive features described in > CAS 5.2.x. But I have to wonder if I'm missing much of the necessary > details. I would like to avoid implementing all the features myself. Never > been a big fan of the "let's reinvent the wheel" school of development. > But... > > Any insights, magic beans greatly appreciated. > -steve > > > On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote: >> >> Hi Jérôme, >> I found an earlier posting >> <https://groups.google.com/a/apereo.org/d/msg/cas-user/bGZam9qkP3E/IKPTYzp7AQAJ> >> from 12/21/17 regarding the NPEs, so as suggested by that posting, I >> restarted CAS & then cleared all related cookies from the browser. Once I >> restart CAS & re-initiated the same flow, no more NPE as shown in my log. >> But I still have the problem with the webflow not finishing as I expect. >> I increased the log level to trace on a few packages: >> org.apereo.cas.web.flow >> org.springframework.webflow >> org.springframework.session >> org.springframework.web >> org.springframework.web.socket >> Some log entries of interest (to me): (and I'm currently guessing the >> issue may be related to a SSO log msg at 2018-04-19 11:53:23,186 >> below. Why would a service not be allowed to use SSO ? >> -steve >> >> 2018-04-19 11:53:01,183 TRACE >> [org.springframework.web.servlet.DispatcherServlet] >> - <Bound request context to thread: org.apache.catalina.connector. >> RequestFacade@33327a12> <- this object ref# shows up later, at the >> bottom so I'm correlating this initial log with the later ('completion' ) >> log msg below with the same object ref#... >> 2018-04-19 11:53:01,183 DEBUG >> [org.springframework.web.servlet.DispatcherServlet] >> - <DispatcherServlet with name 'dispatcherServlet' processing GET request >> for [/cas/login]> >> >> 2018-04-19 11:53:01,209 TRACE [org.apereo.cas.web.CasWebApplicationContext] >> - <Publishing event in org.apereo.cas.web.CasWebAppli >> cationContext@222545dc: ServletRequestHandledEvent: url=[/cas/login]; >> client=[0:0:0:0:0:0:0:1]; method=[GET]; servlet=[dispatcherServlet]; >> session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms]; >> status=[OK]> <- From the pac4j demo's SecurityFilter redirect to >> initial request on /cas/index.jsp >> >> 2018-04-19 11:53:22,914 DEBUG >> [org.springframework.web.servlet.DispatcherServlet] >> - <DispatcherServlet with name 'dispatcherServlet' processing GET request >> for [/cas/login]> >> >> 2018-04-19 11:53:22,921 TRACE >> [org.springframework.web.servlet.DispatcherServlet] >> - <Testing handler map [org.springframework.webflow.m >> vc.servlet.FlowHandlerMapping@2ee91bdf] in DispatcherServlet with name >> 'dispatcherServlet'> >> 2018-04-19 11:53:22,921 DEBUG >> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] >> - <Mapping request with URI '/cas/login' to flow with id 'login'> >> >> 2018-04-19 11:53:22,921 DEBUG >> [org.springframework.webflow.executor.FlowExecutorImpl] >> - <Launching new execution of flow 'login' with input map['state' -> >> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> >> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_ >> FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', 'session_state' -> >> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', 'client_name' -> >> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> >> 2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.d >> efinition.registry.FlowDefinitionRegistryImpl] - <Getting FlowDefinition >> with id 'login'> >> 2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.e >> ngine.impl.FlowExecutionImplFactory] - <Creating new execution of >> 'login'> >> 2018-04-19 11:53:22,921 DEBUG >> [org.springframework.webflow.engine.impl.FlowExecutionImpl] >> - <Starting in org.springframework.webflow.mv >> c.servlet.MvcExternalContext@408aeb6f with input map['state' -> >> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> >> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_ >> FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', 'session_state' -> >> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', 'client_name' -> >> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> >> 2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.Flow] >> - <Creating [FlowVariable@c58f8bd name = 'credential', valueFactory = >> [BeanFactoryVariableValueFactory@5cab14e3 type = >> UsernamePasswordCredential]]> >> 2018-04-19 11:53:22,922 DEBUG >> [org.springframework.webflow.execution.ActionExecutor] >> - <Executing [EvaluateAction@29e2f697 expression = >> initialFlowSetupAction, resultExpression = [null]]> >> 2018-04-19 11:53:22,922 DEBUG >> [org.springframework.webflow.execution.ActionExecutor] >> - <Executing org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f> >> 2018-04-19 11:53:22,922 DEBUG >> [org.apereo.cas.web.flow.InitialFlowSetupAction] >> - <Warning cookie path is set to [null] and path [/cas/]> >> 2018-04-19 11:53:22,922 DEBUG >> [org.apereo.cas.web.flow.InitialFlowSetupAction] >> - <TGC cookie path is set to [null] and path [/cas/]> >> 2018-04-19 11:53:22,923 DEBUG [org.apereo.cas.authentication >> .principal.WebApplicationServiceFactory] - <No service is specified in >> the request. Skipping service creation> >> 2018-04-19 11:53:22,923 DEBUG >> [org.apereo.cas.web.support.DefaultArgumentExtractor] >> - <No service could be extracted based on the given request> >> 2018-04-19 11:53:22,923 DEBUG >> [org.apereo.cas.web.support.AbstractArgumentExtractor] >> - <Extractor did not generate service.> >> 2018-04-19 11:53:22,924 DEBUG >> [org.springframework.webflow.execution.ActionExecutor] >> - <Finished executing org.apereo.cas.web.flow.Initia >> lFlowSetupAction@1c5e2d2f; result = success> >> [...] >> 2018-04-19 11:53:22,924 DEBUG >> [org.pac4j.oidc.credentials.extractor.OidcExtractor] >> - <Authentication response successful> >> 2018-04-19 11:53:23,183 DEBUG >> [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] >> - <Token response: status=200, content={ >> "access_token": "ya29.GlyiBcpAH4iGUOnL7YWwmsCj >> l_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1 >> tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA", >> "token_type": "Bearer", >> "expires_in": 3599, >> "id_token": "eyJhbGc [...]DQ" >> } >> > >> 2018-04-19 11:53:23,184 DEBUG >> [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] >> - <Token response successful> >> 2018-04-19 11:53:23,184 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - >> <Credentials validation took: 260 ms> >> 2018-04-19 11:53:23,184 DEBUG [org.apereo.cas.support.pac4j. >> web.flow.DelegatedClientAuthenticationAction] - <Retrieved credentials: >> [#OidcCredentials# | code: 4/AAAp_BeFI-e0zZCTS9wDDdIcKYhr >> Xd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME | >> clientName: GoogleOIDC | accessToken: ya29.GlyiBcpAH4iGUOnL7YWwmsCjl >> _Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1t >> Zh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA | refreshToken: null | >> idToken: com.nimbusds.jwt.SignedJWT@65ff182d |]> >> 2018-04-19 11:53:23,184 DEBUG [org.apereo.cas.support.pac4j. >> web.flow.DelegatedClientAuthenticationAction] - <Retrieve service: >> [org.apereo.cas.authentication.principal.SimpleWebApplicatio >> nServiceImpl@62347e06[id=https://localhost:8449/callback?cli >> ent_name=CasClient,originalUrl=https://localhost:8449/callba >> ck?client_name=CasClient,artifactId=<null>,principal=<n >> ull>,loggedOutAlready=false,format=XML]]> >> ^^^^ so CAS has the callback to >> provide the pac4j demo the credentials >> >> 2018-04-19 11:53:23,186 TRACE [org.apereo.cas.util.CollectionUtils] - >> <Converting attribute [org.apereo.cas.support.pac4j. >> authentication.handler.support.ClientAuthenticationHandler@462b239f]> >> 2018-04-19 11:53:23,186 WARN [org.apereo.cas.authentication >> .RegisteredServiceAuthenticationHandlerResolver] - <Service [null] is >> not allowed to use SSO.> >> 2018-04-19 11:53:23,187 TRACE >> [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] >> - <Resolving principal at audit point [execution(Authentication >> org.apereo.cas.authentication.PolicyBasedAuthenticationManag >> er.authenticate(Authentication >> Transaction))]> >> 2018-04-19 11:53:23,187 INFO [org.apereo.inspektr.audit.sup >> port.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN >> [...] >> 2018-04-19 11:53:23,190 DEBUG >> [org.springframework.webflow.engine.impl.FlowExecutionImpl] >> - <Attempting to handle [org.springframework.webflow.e >> xecution.ActionExecutionException: Exception thrown executing >> org.apereo.cas.support.pac4j.web.f >> low.DelegatedClientAuthenticationAction@7ce721a9 in state 'clientAction' >> of flow 'login' -- action execution attributes were 'map[[empty]]'] >> org.springframework.webflow.execution.ActionExecutionException: >> Exception thrown executing org.apereo.cas.support.pac4j.w >> eb.flow.DelegatedClientAuthenticationAction@7ce721a9 in state >> 'clientAction' of flow 'login' -- action execution attributes were >> 'map[[empty]]' >> at >> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at >> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at >> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at >> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at org.springframework.webflow.engine.State.enter(State.java:194) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >> ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] >> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >> art(FlowExecutionImpl.java:368) ~[spring-webflow-2.4.6.RELEASE >> .jar!/:2.4.6.RELEASE] >> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >> art(FlowExecutionImpl.java:223) ~[spring-webflow-2.4.6.RELEASE >> .jar!/:2.4.6.RELEASE] >> at org.springframework.webflow.executor.FlowExecutorImpl.launch >> Execution(FlowExecutorImpl.java:140) ~[spring-webflow-2.4.6.RELEASE.j >> >> >> 2018-04-19 11:53:23,211 DEBUG >> [org.springframework.webflow.mvc.view.AbstractMvcView] >> - <Rendering MVC [org.thymeleaf.spring4.view.ThymeleafView@5a9194a2] >> with model map [{passwordManagementEnabled=false, recaptchaSiteKey=null, >> viewScope=map[[empty]], warnCookieValue=false, >> org.springframework.validation.BindingResult.credential=org. >> springframework.webflow.mvc.view.BindingModel: 0 errors, >> staticAuthentication=true, flowExecutionUrl=/cas/login?cl >> ient_name=GoogleOIDC&state=ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4 >> -qaq69Zz6s&code=4%2FAAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpX >> iigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME&authuser=0&session_state >> =6cd666a9989ac714aac38521f950f380ba3fcfc0..b199&prompt=none& >> execution=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAAA [...] AAA%3D, >> rootCauseException=org.apereo.cas.services.UnauthorizedSsoSe >> rviceException: service.not.authorized.sso, >> flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = >> org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, >> currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> >> [null]], attributes = map[[empty]], messageContext = >> [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> >> list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = >> 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', >> state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> >> false, 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> >> [null], 'viewScope' -> map[[empty]], 'credential' -> null, >> 'warnCookieValue' -> false, 'staticAuthentication' -> true, 'service' -> >> org.apereo.cas.authentication.principal.SimpleWebApplication >> ServiceImpl@62347e06[id=https://localhost:8449/callback?clie >> nt_name=CasClient,originalUrl=https://localhost:8449/ >> callback?client_name=CasClient,artifactId=<null>,principal=< >> null>,loggedOutAlready=false,format=XML], 'ticketGrantingTicketId' -> >> [null], 'googleAnalyticsTrackingId' -> [null], 'trackGeoLocation' -> >> false]]]]], rememberMeAuthenticationEnabled=false, currentUser=null, >> credential=null, flowExecutionKey=35aa2986-8f39 >> -4b7f-8a78-4a69bb475c54_H4sIAAAAA [...] AA%3D, >> rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: >> service.not.authorized.sso, flowRequestContext=[RequestCon >> trolContextImpl@2b4c688c externalContext = org.springframework.webflow.mv >> c.servlet.MvcExternalContext@408aeb6f, currentEvent = [null], >> requestScope = map['ticketGrantingTicketId' -> [null]], attributes = >> map[[empty]], messageContext = [DefaultMessageContext@46184e22 >> sourceMessages = map[[null] -> list[[empty]]]], flowExecution = >> [FlowExecutionImpl@7e5c67f1 flow = 'login', flowSessions = >> list[[FlowSessionImpl@4157062f flow = 'login', state = 'viewLoginForm', >> scope = map['passwordManagementEnabled' -> false, >> 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> >> [null], 'viewScope' -> map[[empty]], 'credential' -> null, >> 'warnCookieValue' -> false, 'staticAuthentication' -> true, 'service' -> >> org.apereo.cas.authentication.principal.SimpleWebApplication >> ServiceImpl@62347e06[id=https://localhost:8449/callback?clie >> nt_name=CasClient,originalUrl=https://localhost:8449/ >> callback?client_name=CasClient,artifactId=<null>,principal=< >> null>,loggedOutAlready=false,format=XML], 'ticketGrantingTicketId' -> >> [null], 'googleAnalyticsTrackingId' -> [null], 'trackGeoLocation' -> >> false]]]]], rememberMeAuthenticationEnabled=false, currentUser=null, >> credential=null, flowExecutionKey=35aa2986 >> >> [...] >> 2018-04-19 11:53:23,237 DEBUG >> [org.apereo.cas.services.web.ChainingThemeResolver] >> - <No specific theme could be found. Using default theme >> [cas-theme-default}> >> 2018-04-19 11:53:23,266 DEBUG [org.springframework.webflow.engine.Transition] >> - <Completed transition execution. As a result, the new state is >> 'viewLoginForm' in flow 'login'> >> 2018-04-19 11:53:23,267 TRACE >> [org.springframework.web.servlet.DispatcherServlet] >> - <Cleared thread-bound request context: org.apache.catalina.connector. >> RequestFacade@33327a12> <- same object ref# as in the initial above log >> msg. >> 2018-04-19 11:53:23,267 DEBUG >> [org.springframework.web.servlet.DispatcherServlet] >> - <Successfully completed request> >> >> >> >> >>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2- > 84314c92aa54%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2-84314c92aa54%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzun%2Bq1-W8FT7F5Pm02W4q_u_22i-9xJ3hQFqMo%2BLPXVA%40mail.gmail.com.
