I think i'm rewriting my last post i really appologize for that folks , mayby with better guestion.Please folks don't kill me.
env:Cas-overlay 6.3.x At the begining i would like ask you how cas start examine handlers , is it random or detretministic way from which handler cas start when the user post credential to cas ? I dont know if i well understood.I understood that is deterministic way but i cannot see this ) i have sometimes everest sometimes rysy after restart cas ) , mayby order number in handlers if we put in cas.propierties that do this . But for serwis how to start examine credential from which handler we want ? . The order in cas.propierties doesnt llook like well becouse for one service you want have one order ofr te secend service another order so it is stupid probably. I am asking about it becouse if web user / or curl api client tests service , cas can start examine from one of the 2 handlers i have, sometimes from first hander sometimes from second handler ( after restart cas) . I have had policy lik tryALL = false/true . If it started from everest_365 like bellow and user has right in this handler (everest_365) I believed that tryALL doesnt work if one handler didnt given success of auth for user becouse of policy.I seem i works in difrent way. [ configuration cas.authn.policy.source-selection-enabled=false cas.authn.policy.required-handler-authentication-policy-enabled=true cas.authn.policy.req.try-all=false "authenticationPolicy": { "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" ]], "criteria": { "tryAll": false, "@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria" }, "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy" }, ] , i this case cas didn't try to examine other handlers like rysy .,bcouse athentication is successed probably . Could anyboody confirm ? And how to avoid to get deticated hander working while user has right in both handlers. Second hndlerd i would like to use for other service. I thing that trayALL=true/false doesnt matter. It is look like now work For test purposes i have only 2 AD handlers : rysy ,everest_365, and user=kowalski. Kowalski has right in rysy and everest_365 but i would like to auth kowalski only via rysy to service even if kowalski has right in everest_365 So How to force cas to start examination handler from rysy .I don't know even if it is possible nowaday . ____ _____ _ ______ __ | _ \| ____| / \ | _ \ \ / / | |_) | _| / _ \ | | | \ V / | _ <| |___ / ___ \| |_| || | |_| \_\_____/_/ \_\____/ |_| > 2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <> 2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <Ready to process requests @ [2021-12-09T12:29:06.575Z]> 2021-12-09 12:29:06,986 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s) from [JsonServiceRegistry].> 2021-12-09 12:29:09,999 INFO [org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet 'dispatcherServlet'> 2021-12-09 12:29:10,026 INFO [org.springframework.web.servlet.DispatcherServlet] - <Completed initialization in 27 ms> 2021-12-09 12:29:10,226 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication credentials provided for this transaction are [[UsernamePasswordCredential(username=kowalski, source=null, customFields={})]]> 2021-12-09 12:29:10,229 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Candidate/Registered authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34, org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]> 2021-12-09 12:29:10,229 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers for this transaction are [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]> 2021-12-09 12:29:10,231 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead...> 2021-12-09 12:29:10,232 DEBUG [org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]> <--- Here i dont undersand why def handlers are both everest and rysy ? I have only rysy for service in "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" ]] 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Resolved and finalized authentication handlers to carry out this authentication transaction are [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]> 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Candidate resolved authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34, org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]> 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting to authenticate credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]> 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does not support the credential type [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]. Trying next...> 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Examining credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})] eligibility for authentication handler [everest_365]> 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})] eligibility is [everest_365] for authentication handler [true]> 2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting authentication of [kowalski] using [everest_365]> 2021-12-09 12:29:15,421 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Transforming credential username via [org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]> 2021-12-09 12:29:15,422 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to encode credential password via [org.springframework.security.crypto.password.NoOpPasswordEncoder] for [kowalski]> 2021-12-09 12:29:15,422 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]> 2021-12-09 12:29:15,422 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]> 2021-12-09 12:29:15,785 DEBUG [org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory] - <Required authentication handlers for this service [Test] are [[rysy]]> 2021-12-09 14:13:06,703 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: kowalski WHAT: https://example.org/pz ACTION: SERVICE_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu Dec 09 14:13:06 GMT 2021 CLIENT IP ADDRESS: ****** SERVER IP ADDRESS: ****** ============================================================= > 2021-12-09 14:13:06,704 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: kowalski WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException ACTION: REST_API_SERVICE_TICKET_FAILED APPLICATION: CAS WHEN: Thu Dec 09 14:13:06 GMT 2021 CLIENT IP ADDRESS: ***** SERVER IP ADDRESS: ***** ============================================================= > 2021-12-09 14:13:06,705 ERROR [org.apereo.cas.support.rest.resources.ServiceTicketResource] - <UnsatisfiedAuthenticationPolicyException> org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null at org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184) ~[cas-server-core-6.3.2.jar!/:6.3.2] at org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109) ~[cas-server-core-6.3.2.jar!/:6.3.2] at org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>) ~[cas-server-core-6.3.2.jar!/:6.3.2] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE] etc Regards. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b557c47-d285-497e-9973-c4df24e40246n%40apereo.org.