[cas-user] How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

artur miś Thu, 09 Dec 2021 06:56:11 -0800

I think i'm  rewriting my last post i really appologize for that folks ,  
mayby  with better guestion.Please folks don't kill me.



env:Cas-overlay  6.3.x
At the begining i would like ask you  how cas start examine   handlers ,  
is it   random   or detretministic way from which  handler cas start  when 
the  user  post  credential to cas ? 

I  dont know if  i well understood.I understood  that is deterministic way  
but  i cannot see this  ) i have sometimes everest  sometimes rysy  after 
restart cas )  , mayby order number  in handlers  if we put in 
cas.propierties  that do this . But for serwis  how to start  examine 
credential  from  which handler  we want ? . The order in cas.propierties 
doesnt llook like well becouse for one service  you want have  one order 
ofr te secend service  another order  so it is stupid probably.

I  am asking about it  becouse   if  web user / or curl api client tests 
service ,
 cas  can start examine  from  one of  the  2  handlers i have,  sometimes 
from  first hander  sometimes from second handler ( after restart cas) . I  
have had policy lik tryALL  = false/true .   If it started from 
everest_365  like bellow   and user has right in this handler (everest_365)


I believed  that tryALL doesnt  work  if  one handler didnt given  success 
   of auth for user becouse of policy.I seem i works in difrent way.

[ configuration

cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false

"authenticationPolicy": {
        "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" 
]],
        "criteria": {
            "tryAll": false,
            "@class": 
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
        },
        "@class": 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
    },
]
, i  this case  cas didn't try  to  examine other  handlers like rysy 
.,bcouse  athentication is successed probably .  Could  anyboody confirm ? 
And how to avoid to get  deticated hander working while user has right in 
both handlers. Second  hndlerd  i would like to  use for other service.  




I thing that trayALL=true/false doesnt matter. It is look like now work 

For test purposes i have only 2 AD handlers : rysy ,everest_365, and 
user=kowalski.
Kowalski has right in rysy and everest_365  but  i would like to auth 
kowalski only via  rysy to service even if kowalski has right in everest_365


So How to force cas to start examination handler from rysy .I don't know 
even if it is possible nowaday .

  ____  _____    _    ______   __
 |  _ \| ____|  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V /
 |  _ <| |___ / ___ \| |_| || |
 |_| \_\_____/_/   \_\____/ |_|

>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - 
<Ready to process requests @ [2021-12-09T12:29:06.575Z]>
2021-12-09 12:29:06,986 INFO 
[org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s) 
from [JsonServiceRegistry].>
2021-12-09 12:29:09,999 INFO 
[org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet 
'dispatcherServlet'>
2021-12-09 12:29:10,026 INFO 
[org.springframework.web.servlet.DispatcherServlet] - <Completed 
initialization in 27 ms>
2021-12-09 12:29:10,226 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Authentication credentials provided for this transaction are 
[[UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})]]>
2021-12-09 12:29:10,229 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Candidate/Registered authentication handlers for this transaction are 
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
 
org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, 
org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,229 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Authentication handler resolvers for this transaction are 
[[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,231 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Authentication handler resolvers produced no candidate authentication 
handler. Using the default handler resolver instead...>
2021-12-09 12:29:10,232 DEBUG 
[org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default 
authentication handlers used for this transaction are 
[HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]>
<---
Here i dont undersand why def handlers are both  everest and rysy ?
I have only rysy  for service in "requiredAuthenticationHandlers" : 
["java.util.TreeSet", [ "rysy" ]]

2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
<Resolved and finalized authentication handlers to carry out this 
authentication transaction are 
[[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Candidate resolved authentication handlers for this transaction are 
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
 
org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, 
org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Attempting to authenticate credential 
[UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] 
does not support the credential type 
[UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})]. Trying next...>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- <Examining credential [UsernamePasswordCredential(username=kowalski, 
source=null, customFields={})] eligibility for authentication handler 
[everest_365]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- <Credential [UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})] eligibility is [everest_365] for authentication handler 
[true]>
2021-12-09 12:29:10,233 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Attempting authentication of [kowalski] using [everest_365]>
2021-12-09 12:29:15,421 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- <Transforming credential username via 
[org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]>
2021-12-09 12:29:15,422 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- <Attempting to encode credential password via 
[org.springframework.security.crypto.password.NoOpPasswordEncoder] for 
[kowalski]>
2021-12-09 12:29:15,422 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- <Attempting authentication internally for transformed credential 
[UsernamePasswordCredential(username=kowalski, source=null, 
customFields={})]>
2021-12-09 12:29:15,422 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting 
LDAP authentication for [UsernamePasswordCredential(username=kowalski, 
source=null, customFields={})]. Authenticator pre-configured attributes are 
[null], additional requested attributes for this authentication request are 
[[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]>


2021-12-09 12:29:15,785 DEBUG 
[org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory]
 
- <Required authentication handlers for this service [Test] are [[rysy]]>



2021-12-09 14:13:06,703 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: https://example.org/pz
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: ******
SERVER IP ADDRESS: ******
=============================================================

>
2021-12-09 14:13:06,704 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException
ACTION: REST_API_SERVICE_TICKET_FAILED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: *****
SERVER IP ADDRESS: *****
=============================================================

>
2021-12-09 14:13:06,705 ERROR 
[org.apereo.cas.support.rest.resources.ServiceTicketResource] - 
<UnsatisfiedAuthenticationPolicyException>
org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null
        at 
org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184)
 
~[cas-server-core-6.3.2.jar!/:6.3.2]
        at 
org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109)
 
~[cas-server-core-6.3.2.jar!/:6.3.2]
        at 
org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>)
 
~[cas-server-core-6.3.2.jar!/:6.3.2]
        at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) 
~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)
 
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
 
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
etc
Regards.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b557c47-d285-497e-9973-c4df24e40246n%40apereo.org.

[cas-user] How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

Reply via email to