Hello, I decided to create new thread becouse is could be general problem in cas 6.3.x or i ' belive that that is bug : "Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead"
I have easy service like and i have made 3 tests bellow, A-TEST. ( according to :https://apereo.github.io/cas/6.3.x/services/Configuring-Service-AuthN-Policy.html) { "@class": "org.apereo.cas.services.RegexRegisteredService", "serviceId": "^(http|https)://example.org/casphp*", "name": "Test", "id": 1, "description": "Straggle Today!", "authenticationPolicy": { "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]], "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", "criteria": { "@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria" } } } hashed conf line bellow #cas.authn.policy.required-handler-authentication-policy-enabled=true With this seeting i was trying so any time( 3 or 5) reload cas as Cas used ppm handler as first handler to examine and user was logged to service . In logs i cant see any check that for service example.org schoud be launched with everest handler. So conclusion is i have to use : cas.authn.policy.required-handler-authentication-policy-enable=true . Or how to do it personalized in service ?? B -TEST. i enabled line: cas.authn.policy.required-handler-authentication-policy-enabled=true { "@class": "org.apereo.cas.services.RegexRegisteredService", "serviceId": "^(http|https)://example.org/casphp*", "name": "Test", "id": 1, "description": "Straggle Today!", "authenticationPolicy": { "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]], "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy" } } In this case if Examination handlers start from ppm handler, auth are accepted but: cas.authn.policy.required-handler-authentication-policy-enabled keep user not loged becouse ppm handler is not for service example.org. But Cas didn't even tryied everest. IT is look like requiredAuthenticationHandlers works but cas.authn.policy.required-handler-authentication-policy-enabled=true. C-TEST with tryALL policy. { "@class": "org.apereo.cas.services.RegexRegisteredService", "serviceId": "^(http|https)://example.org/casphp*", "name": "Test", "id": 1, "description": "Straggle Today!", "authenticationPolicy": { "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]], "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", "tryAll": true, <- this shoud try all services to achive equiredAuthenticationHandlers ?? "criteria": { "@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria" } } } hashed #cas.authn.policy.required-handler-authentication-policy-enabled=true If ppm handler is used by cas during examination , everest wasnt tried by cas. For tree cases i see smth like this: 2021-12-06 11:05:17,655 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication credentials provided for this transaction are [[UsernamePasswordCredential(username=kowalski, source=null, customFields={})]]> 2021-12-06 11:05:17,658 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Candidate/Registered authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@62de73eb, org.apereo.cas.authentication.LdapAuthenticationHandler@4b50c21, org.apereo.cas.authentication.LdapAuthenticationHandler@1e95f584, org.apereo.cas.authentication.LdapAuthenticationHandler@69de72ec]]> * above it is 3 handlers list , i have 3 in cas.propierties * 2021-12-06 11:05:17,658 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers for this transaction are [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a562255]]> 2021-12-06 11:05:17,668 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead...> 2021-12-06 11:05:17,669 DEBUG [org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,everest,everest_365,ppm]> Let's assume I see that i have in log : "Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead" Why doesn't cas see canditade auth hander ? Mayby that is connectet with my general problem how shoud i atache the handler to service ( durgin one user has privilages in two handles ) . AM -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2678f81c-34e8-40e1-97cf-0cb7be0a69bdn%40apereo.org.