Ray, Dear Buddy i would like say very thank you anyway. For this topic i prepared only two handlers to have such easy case as possible to analize.
cas.authn.ldap[0].name=rysy cas.authn.ldap[1].name=everest_365 Normaly in prodo i have 3 handlers and realy a almost give up with dedickated handlers for service - i will do auth not dedicated service -handler and later programers/admin of www services must take care of other policy after auth or during auth . I think there (in cas ) is smth wrong or i missed smthg in workng flow.In the other side im not very familiar with cas to write script in groovy to manage it and quantity of examples and cese of use are not enough on websites . czwartek, 9 grudnia 2021 o 18:44:21 UTC+1 Ray Bon napisał(a): > Artur, > > By default cas will try each of the authentication handlers until one > succeeds, starting with the first one (0, 1, 2, ...). > I would expect that if you identify one by name, it should use that one. > > Is the '3' a typo in your properties or do you have 4 authenticators? > > cas.authn.ldap[1].name=rysy > ... > cas.authn.ldap[3].name=ppm > > Sorry I could not be more help. > > Ray > > On Thu, 2021-12-09 at 06:56 -0800, artur miś wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > I think i'm rewriting my last post i really appologize for that folks , > mayby with better guestion.Please folks don't kill me. > > > env:Cas-overlay 6.3.x > At the begining i would like ask you how cas start examine handlers , > is it random or detretministic way from which handler cas start when > the user post credential to cas ? > > I dont know if i well understood.I understood that is deterministic > way but i cannot see this ) i have sometimes everest sometimes rysy > after restart cas ) , mayby order number in handlers if we put in > cas.propierties that do this . But for serwis how to start examine > credential from which handler we want ? . The order in cas.propierties > doesnt llook like well becouse for one service you want have one order > ofr te secend service another order so it is stupid probably. > > I am asking about it becouse if web user / or curl api client tests > service , > cas can start examine from one of the 2 handlers i have, sometimes > from first hander sometimes from second handler ( after restart cas) . I > have had policy lik tryALL = false/true . If it started from > everest_365 like bellow and user has right in this handler (everest_365) > > > I believed that tryALL doesnt work if one handler didnt given success > of auth for user becouse of policy.I seem i works in difrent way. > > [ configuration > > cas.authn.policy.source-selection-enabled=false > cas.authn.policy.required-handler-authentication-policy-enabled=true > cas.authn.policy.req.try-all=false > > "authenticationPolicy": { > "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" > ]], > "criteria": { > "tryAll": false, > "@class": > "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria" > }, > "@class": > "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy" > }, > ] > , i this case cas didn't try to examine other handlers like rysy > .,bcouse athentication is successed probably . Could anyboody confirm ? > And how to avoid to get deticated hander working while user has right in > both handlers. Second hndlerd i would like to use for other service. > > > > > I thing that trayALL=true/false doesnt matter. It is look like now work > > For test purposes i have only 2 AD handlers : rysy ,everest_365, and > user=kowalski. > Kowalski has right in rysy and everest_365 but i would like to auth > kowalski only via rysy to service even if kowalski has right in everest_365 > > > So How to force cas to start examination handler from rysy .I don't know > even if it is possible nowaday . > > ____ _____ _ ______ __ > | _ \| ____| / \ | _ \ \ / / > | |_) | _| / _ \ | | | \ V / > | _ <| |___ / ___ \| |_| || | > |_| \_\_____/_/ \_\____/ |_| > > > > 2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <> > 2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - > <Ready to process requests @ [2021-12-09T12:29:06.575Z]> > 2021-12-09 12:29:06,986 INFO > [org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s) > from [JsonServiceRegistry].> > 2021-12-09 12:29:09,999 INFO > [org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet > 'dispatcherServlet'> > 2021-12-09 12:29:10,026 INFO > [org.springframework.web.servlet.DispatcherServlet] - <Completed > initialization in 27 ms> > 2021-12-09 12:29:10,226 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication credentials provided for this transaction are > [[UsernamePasswordCredential(username=kowalski, source=null, > customFields={})]]> > 2021-12-09 12:29:10,229 DEBUG > [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - > <Candidate/Registered authentication handlers for this transaction are > [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34, > > org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, > org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]> > 2021-12-09 12:29:10,229 DEBUG > [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - > <Authentication handler resolvers for this transaction are > [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]> > 2021-12-09 12:29:10,231 DEBUG > [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - > <Authentication handler resolvers produced no candidate authentication > handler. Using the default handler resolver instead...> > 2021-12-09 12:29:10,232 DEBUG > [org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default > authentication handlers used for this transaction are > [HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]> > <--- > Here i dont undersand why def handlers are both everest and rysy ? > I have only rysy for service in "requiredAuthenticationHandlers" : > ["java.util.TreeSet", [ "rysy" ]] > > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - > <Resolved and finalized authentication handlers to carry out this > authentication transaction are > [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]> > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Candidate resolved authentication handlers for this transaction are > [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34, > > org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, > org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]> > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Attempting to authenticate credential > [UsernamePasswordCredential(username=kowalski, source=null, > customFields={})]> > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] > does not support the credential type > [UsernamePasswordCredential(username=kowalski, source=null, > customFields={})]. Trying next...> > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] > > - <Examining credential [UsernamePasswordCredential(username=kowalski, > source=null, customFields={})] eligibility for authentication handler > [everest_365]> > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] > > - <Credential [UsernamePasswordCredential(username=kowalski, source=null, > customFields={})] eligibility is [everest_365] for authentication handler > [true]> > 2021-12-09 12:29:10,233 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Attempting authentication of [kowalski] using [everest_365]> > 2021-12-09 12:29:15,421 DEBUG > [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] > > - <Transforming credential username via > [org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]> > 2021-12-09 12:29:15,422 DEBUG > [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] > > - <Attempting to encode credential password via > [org.springframework.security.crypto.password.NoOpPasswordEncoder] for > [kowalski]> > 2021-12-09 12:29:15,422 DEBUG > [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] > > - <Attempting authentication internally for transformed credential > [UsernamePasswordCredential(username=kowalski, source=null, > customFields={})]> > 2021-12-09 12:29:15,422 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting > LDAP authentication for [UsernamePasswordCredential(username=kowalski, > source=null, customFields={})]. Authenticator pre-configured attributes are > [null], additional requested attributes for this authentication request are > [[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]> > > > 2021-12-09 12:29:15,785 DEBUG > [org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory] > > - <Required authentication handlers for this service [Test] are [[rysy]]> > > > > 2021-12-09 14:13:06,703 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: kowalski > WHAT: https://example.org/pz > ACTION: SERVICE_TICKET_NOT_CREATED > APPLICATION: CAS > WHEN: Thu Dec 09 14:13:06 GMT 2021 > CLIENT IP ADDRESS: ****** > SERVER IP ADDRESS: ****** > ============================================================= > > > > 2021-12-09 14:13:06,704 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: kowalski > WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException > ACTION: REST_API_SERVICE_TICKET_FAILED > APPLICATION: CAS > WHEN: Thu Dec 09 14:13:06 GMT 2021 > CLIENT IP ADDRESS: ***** > SERVER IP ADDRESS: ***** > ============================================================= > > > > 2021-12-09 14:13:06,705 ERROR > [org.apereo.cas.support.rest.resources.ServiceTicketResource] - > <UnsatisfiedAuthenticationPolicyException> > org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null > at > org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184) > > ~[cas-server-core-6.3.2.jar!/:6.3.2] > at > org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109) > > ~[cas-server-core-6.3.2.jar!/:6.3.2] > at > org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>) > > ~[cas-server-core-6.3.2.jar!/:6.3.2] > at > org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) > ~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE] > at > org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771) > > ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE] > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) > > ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE] > etc > Regards. > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > -- AM -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c60b2d96-83fd-4073-91cf-21c5114a6bd3n%40apereo.org.