Re: [cas-user] How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

artur miś Thu, 09 Dec 2021 23:48:10 -0800

Ray,
  Dear Buddy i would like say very  thank you anyway.

For this  topic i prepared only two handlers  to have  such easy case as 
possible to analize.



cas.authn.ldap[0].name=rysy
cas.authn.ldap[1].name=everest_365



Normaly in prodo  i have 3 handlers  and realy a almost give up with 
dedickated handlers for service  - i will do  auth not dedicated service 
-handler  and later  programers/admin  of  www services  must take care of  
other policy  after auth or during auth . I think there  (in cas ) is smth 
wrong or i missed smthg  in workng flow.In the other side im not very 
familiar with cas to write script  in groovy to manage  it  and quantity 
of  examples and cese of use are not enough on websites  .  



czwartek, 9 grudnia 2021 o 18:44:21 UTC+1 Ray Bon napisał(a):

> Artur,
>
> By default cas will try each of the authentication handlers until one 
> succeeds, starting with the first one (0, 1, 2, ...).
> I would expect that if you identify one by name, it should use that one.
>
> Is the '3' a typo in your properties or do you have 4 authenticators?
>
> cas.authn.ldap[1].name=rysy
> ...
> cas.authn.ldap[3].name=ppm
>
> Sorry I could not be more help.
>
> Ray
>
> On Thu, 2021-12-09 at 06:56 -0800, artur miś wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> I think i'm  rewriting my last post i really appologize for that folks ,  
> mayby  with better guestion.Please folks don't kill me.
>
>
> env:Cas-overlay  6.3.x
> At the begining i would like ask you  how cas start examine   handlers ,  
> is it   random   or detretministic way from which  handler cas start  when 
> the  user  post  credential to cas ? 
>
> I  dont know if  i well understood.I understood  that is deterministic 
> way  but  i cannot see this  ) i have sometimes everest  sometimes rysy  
> after restart cas )  , mayby order number  in handlers  if we put in 
> cas.propierties  that do this . But for serwis  how to start  examine 
> credential  from  which handler  we want ? . The order in cas.propierties 
> doesnt llook like well becouse for one service  you want have  one order 
> ofr te secend service  another order  so it is stupid probably.
>
> I  am asking about it  becouse   if  web user / or curl api client tests 
> service ,
>  cas  can start examine  from  one of  the  2  handlers i have,  sometimes 
> from  first hander  sometimes from second handler ( after restart cas) . I  
> have had policy lik tryALL  = false/true .   If it started from 
> everest_365  like bellow   and user has right in this handler (everest_365)
>
>
> I believed  that tryALL doesnt  work  if  one handler didnt given  success 
>    of auth for user becouse of policy.I seem i works in difrent way.
>
> [ configuration
>
> cas.authn.policy.source-selection-enabled=false
> cas.authn.policy.required-handler-authentication-policy-enabled=true
> cas.authn.policy.req.try-all=false
>
> "authenticationPolicy": {
>         "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" 
> ]],
>         "criteria": {
>             "tryAll": false,
>             "@class": 
> "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
>         },
>         "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
>     },
> ]
> , i  this case  cas didn't try  to  examine other  handlers like rysy 
> .,bcouse  athentication is successed probably .  Could  anyboody confirm ? 
> And how to avoid to get  deticated hander working while user has right in 
> both handlers. Second  hndlerd  i would like to  use for other service.  
>
>
>
>
> I thing that trayALL=true/false doesnt matter. It is look like now work 
>
> For test purposes i have only 2 AD handlers : rysy ,everest_365, and 
> user=kowalski.
> Kowalski has right in rysy and everest_365  but  i would like to auth 
> kowalski only via  rysy to service even if kowalski has right in everest_365
>
>
> So How to force cas to start examination handler from rysy .I don't know 
> even if it is possible nowaday .
>
>   ____  _____    _    ______   __
>  |  _ \| ____|  / \  |  _ \ \ / /
>  | |_) |  _|   / _ \ | | | \ V /
>  |  _ <| |___ / ___ \| |_| || |
>  |_| \_\_____/_/   \_\____/ |_|
>
> >
> 2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <>
> 2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - 
> <Ready to process requests @ [2021-12-09T12:29:06.575Z]>
> 2021-12-09 12:29:06,986 INFO 
> [org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s) 
> from [JsonServiceRegistry].>
> 2021-12-09 12:29:09,999 INFO 
> [org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet 
> 'dispatcherServlet'>
> 2021-12-09 12:29:10,026 INFO 
> [org.springframework.web.servlet.DispatcherServlet] - <Completed 
> initialization in 27 ms>
> 2021-12-09 12:29:10,226 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <Authentication credentials provided for this transaction are 
> [[UsernamePasswordCredential(username=kowalski, source=null, 
> customFields={})]]>
> 2021-12-09 12:29:10,229 DEBUG 
> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
> <Candidate/Registered authentication handlers for this transaction are 
> [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
>  
> org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, 
> org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
> 2021-12-09 12:29:10,229 DEBUG 
> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
> <Authentication handler resolvers for this transaction are 
> [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
> 2021-12-09 12:29:10,231 DEBUG 
> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
> <Authentication handler resolvers produced no candidate authentication 
> handler. Using the default handler resolver instead...>
> 2021-12-09 12:29:10,232 DEBUG 
> [org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default 
> authentication handlers used for this transaction are 
> [HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]>
> <---
> Here i dont undersand why def handlers are both  everest and rysy ?
> I have only rysy  for service in "requiredAuthenticationHandlers" : 
> ["java.util.TreeSet", [ "rysy" ]]
>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
> <Resolved and finalized authentication handlers to carry out this 
> authentication transaction are 
> [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <Candidate resolved authentication handlers for this transaction are 
> [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34,
>  
> org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, 
> org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <Attempting to authenticate credential 
> [UsernamePasswordCredential(username=kowalski, source=null, 
> customFields={})]>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] 
> does not support the credential type 
> [UsernamePasswordCredential(username=kowalski, source=null, 
> customFields={})]. Trying next...>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>  
> - <Examining credential [UsernamePasswordCredential(username=kowalski, 
> source=null, customFields={})] eligibility for authentication handler 
> [everest_365]>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>  
> - <Credential [UsernamePasswordCredential(username=kowalski, source=null, 
> customFields={})] eligibility is [everest_365] for authentication handler 
> [true]>
> 2021-12-09 12:29:10,233 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <Attempting authentication of [kowalski] using [everest_365]>
> 2021-12-09 12:29:15,421 DEBUG 
> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>  
> - <Transforming credential username via 
> [org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]>
> 2021-12-09 12:29:15,422 DEBUG 
> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>  
> - <Attempting to encode credential password via 
> [org.springframework.security.crypto.password.NoOpPasswordEncoder] for 
> [kowalski]>
> 2021-12-09 12:29:15,422 DEBUG 
> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>  
> - <Attempting authentication internally for transformed credential 
> [UsernamePasswordCredential(username=kowalski, source=null, 
> customFields={})]>
> 2021-12-09 12:29:15,422 DEBUG 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting 
> LDAP authentication for [UsernamePasswordCredential(username=kowalski, 
> source=null, customFields={})]. Authenticator pre-configured attributes are 
> [null], additional requested attributes for this authentication request are 
> [[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]>
>
>
> 2021-12-09 12:29:15,785 DEBUG 
> [org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory]
>  
> - <Required authentication handlers for this service [Test] are [[rysy]]>
>
>
>
> 2021-12-09 14:13:06,703 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
> trail record BEGIN
> =============================================================
> WHO: kowalski
> WHAT: https://example.org/pz
> ACTION: SERVICE_TICKET_NOT_CREATED
> APPLICATION: CAS
> WHEN: Thu Dec 09 14:13:06 GMT 2021
> CLIENT IP ADDRESS: ******
> SERVER IP ADDRESS: ******
> =============================================================
>
> >
> 2021-12-09 14:13:06,704 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
> trail record BEGIN
> =============================================================
> WHO: kowalski
> WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException
> ACTION: REST_API_SERVICE_TICKET_FAILED
> APPLICATION: CAS
> WHEN: Thu Dec 09 14:13:06 GMT 2021
> CLIENT IP ADDRESS: *****
> SERVER IP ADDRESS: *****
> =============================================================
>
> >
> 2021-12-09 14:13:06,705 ERROR 
> [org.apereo.cas.support.rest.resources.ServiceTicketResource] - 
> <UnsatisfiedAuthenticationPolicyException>
> org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null
>         at 
> org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184)
>  
> ~[cas-server-core-6.3.2.jar!/:6.3.2]
>         at 
> org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109)
>  
> ~[cas-server-core-6.3.2.jar!/:6.3.2]
>         at 
> org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>)
>  
> ~[cas-server-core-6.3.2.jar!/:6.3.2]
>         at 
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) 
> ~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
>         at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)
>  
> ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
>         at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
>  
> ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
> etc
> Regards.
>
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional 
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ 
> peoples whose historical relationships with the land continue to this day.
>

--  
AM

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c60b2d96-83fd-4073-91cf-21c5114a6bd3n%40apereo.org.

Re: [cas-user] How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

Reply via email to