Re: [cas-user] Customizing AUP Webflow Logic

[Trevor Fong]

Thanks so much, Ray!

> Test classes are not part of packaged jars. 

That was indeed the problem!  Ripping out the 
cas-overlay-template-6.6.11/src/main/test directory allowed the overlay to 
properly build!

Thanks again,
Trev

On Monday, September 11, 2023 at 10:02:21 AM UTC-7 Ray Bon wrote:

> Trevor,
>
> Test classes are not part of packaged jars. If you want test classes, you 
> have to copy them into your src directory.
> Beware, you may have to copy in dependencies of the test classes too; and 
> remember to update them when you upgrade.
> Is it possible to rework your logic to extend the existing flow, instead 
> of changing it?
>
> Ray
>
>
> On Fri, 2023-09-08 at 17:14 -0700, Trevor Fong wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hi All, 
> I'm trying to customize the AUP template view and some of the logic behind 
> its SUBMIT button. The problem is that I'm running into some compiler 
> errors when I try to do a "./gradlew clean build": 
>
> $ ./gradlew clean build
> Configuration on demand is an incubating feature.
>
> > Task :compileTestJava FAILED
> /Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:3:
>  
> error: package org.apereo.cas.adaptors.ldap does not exist
> import org.apereo.cas.adaptors.ldap.LdapIntegrationTestsOperations;
>^
> /Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:7:
>  
> error: package org.apereo.cas.util.junit does not exist
> import org.apereo.cas.util.junit.EnabledIfListeningOnPort;
> ^
> /Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:9:
>  
> error: package com.unboundid.ldap.sdk does not exist
> import com.unboundid.ldap.sdk.LDAPConnection;
>  ^
> /Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:52:
>  
> error: cannot find symbol
> public class LdapAcceptableUsagePolicyRepositoryTests extends 
> BaseAcceptableUsagePolicyRepositoryTests {
>   ^
>   symbol: class BaseAcceptableUsagePolicyRepositoryTests
> /Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:41:
>  
> error: cannot find symbol
> @EnabledIfListeningOnPort(port = 10389)
>  ^
>   symbol: class EnabledIfListeningOnPort
> 5 errors
>
> FAILURE: Build failed with an exception.
>
>
> Would someone be able to tell me if I'm following the right path (see 
> below) or tell me what I'm doing wrong?  Presumably I need to add extra 
> 'implementation "org.apereo.cas:blah"' references to build.gradle - how do 
> I find out what to add?
>
> Here's what I did to get thus far:
>
> cd /opt/cas/workspace/
> git clone https://github.com/apereo/cas.git
> ## There doesn't seem to be a v6.6.11 tag?
> git checkout v6.6.10
>  
> cd /opt/cas/workspace/cas-6.6.11-dev
> getcas --directory cas-overlay-template-6.6.11 --type cas-overlay 
> --casVersion 6.6.11 --modules 
> support-jpa-ticket-registry,support-jpa-service-registry,support-ldap,support-saml,support-duo,support-audit-jdbc,support-aup-ldap,support-aup-webflow
>  
> ## Copy files that we want to customize from cas to the overlay
> cp -prnv /opt/cas/workspace/cas/support/cas-server-support-aup-ldap/src/* 
> /opt/cas/workspace/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/
>
> ## Customize:
> # 
> cas-overlay-template-6.6.11/src/main/resources/templates/aup/casAcceptableUsagePolicyView.html
> # 
> cas-overlay-template-6.6.11/src/main/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepository.java
>  
> ## Add additional implementations to build.gradle to get rid of "class not 
> found" type build errors
> #implementation "org.apereo.cas:cas-server-support-aup-core"
> #implementation "org.apereo.cas:cas-server-support-ldap-core"
> #implementation "org.apereo.cas:cas-server-core-util"
> #implementation "org.apereo.cas:cas-server-core-web-api"
>   
> cd /opt/cas/workspace
> cd cas-6.6.11-dev/cas-overlay-template*
> ./gradlew clean build
>  
> See build errors above.
>
> Thanks a lot,
> Trev
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@a

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

[John]

Although I couldn't find it in the docs, maybe a typo, it does work as 
intended, the config key 
cas.authn.mfa.gauth.core.multiple-device-registration-enabled = false; 

You might be better using the 
https://apereo.github.io/cas/6.6.x/webflow/Webflow-Customization-Interrupt-Groovy.html
 
option as it executes farther down the chain. Your use case reminds me of 
something similar we run except in the groovy mfa script for trusted 
devices, i.e once they have a registered device the registration is no 
longer available, if device is "trusted" by user and in ip subnet mfa is 
bypassed as well. I actually believe we went down the road because I think 
with groovy mfa, even if device is trusted, it still would prompt for mfa 
selection. I cannot remember at the moment though.

this should get you closer, the first param in the groovy script is 
'webflow' ,

import org.springframework.webflow.*

context = webflow.execution.RequestContext 




On Tuesday, September 12, 2023 at 10:34:25 AM UTC-5 spfma...@e.mail.fr 
wrote:

> Hi,
>  
> Thanks for your answer. I had read those articles already, but they didn't 
> help a lot or maybe I am trying to do something too crazy.
>  
> I am still not able to get the 'mfa-gauth' state in the 'login' webflow in 
> spite of seeing it in the logs and  the webflow output endpoint.
>  
> I did some cleaning and tidying to get a more readable output from the 
> logs.
>  
> 
> 
>  
> No problem to add actions to 'realSubmit' state, using something very 
> alike to "
> https://apereo.github.io/cas/6.5.x/webflow/Webflow-Customization-Extensions.html
> "
>  
> Are they some restrictions on what can be accessed with the groovy webflow 
> extensions ?
>  
> In the same way, I still don't understand how to get a reference to the 
> mfa-provider. I had a look at 
> "core/cas-server-core-web-api/src/main/java/org/apereo/cas/web/support/WebUtils.java"
>  
> and it seems " getMultifactorAuthenticationProviderById" should be userful, 
> but I don't knwo what to use as 'context' when trying to call it from the 
> groovy script.
>  
> I will have a closer look to your class, especially try to understant how 
> to use it.
>  
> Regards
>
>
> Le 06-Sep-2023 19:02:50 +0200, rb...@uvic.ca a écrit:
>
> These should help
> https://fawnoos.com/2021/08/20/cas64-webflow-extensions/
> https://fawnoos.com/2022/04/21/cas66-webflow-groovy-actions/
>  
> I have a helper class that can print out the flow
> https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74
>  
> Ray
>  
> On Wed, 2023-09-06 at 14:46 +0200, spfma.tech via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>  
> Hi,
>  
> I spent some time studying your script and I think I will follow this way.
> But I am having hard times gathering informations to write the script I 
> need.
>  
> Here is what I am trying to do : now 'mfa-gauth' is working, I would like 
> to "harden" it a little bit, as I think the authenticator registration 
> procedure is too open by default (someone who managed to steal a password 
> can register his own if he is faster than the account owner. So unsecure 
> access should not be possible if no device has been registered in a safer 
> way before).
>  
> I would like to alter the webflow in order to display a warning message if 
> the user has not registered at least one authenticator already and is not 
> coming from a trusted network, then move to a failed state.
>  
> I have spent a lot of time studying logfiles to understand how states and 
> transitions are interacting, and I think I have to either modify 
> "mfa-gauth" state in "login" webflow, or the "mfa-gauth" weblow iself as it 
> is called as a subflow.
>  
> But I have no idea how to address another flow that "login", if and how I 
> can query 'mfa-gauth' backend to check if there are some registered 
> authenticators, or how to display and extra views.
>  
> Do you know where I could find informations and clues about this ? In fact 
> I don't even know what namespaces are available in the script.
>  
> Regards
>  
>
>
> Le 25-Jul-2023 16:15:39 +0200, jbann...@gmail.com a écrit:
>
> Maybe Misagh could put in his thoughts on this, but I would argue the 
> opposite is more true in fact, having custom java code and having to 
> register, etc.. rely's on way MORE base code in cas then the groovy 
> methods. If you take a look at the way groovy scripts are written in cas it 
> is mainly a simple execute groovy method passing the parameters and just 
> reading the results. That code itself doesn't change much, we had thousands 
> of lines of custom java code before the 6.x days, for all kinds of things. 
> Now we maintain 2 individual java class files and working to get those 
> changes pushed into cas, just need to write the test cases and scenarios.
>  
> One of the benefits to using groovy is the no compile time, they don't 
> need

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

[spfma.tech via CAS Community]

Hi,   Thanks for your answer. I had read those articles already, but they 
didn't help a lot or maybe I am trying to do something too crazy.   I am still 
not able to get the 'mfa-gauth' state in the 'login' webflow in spite of seeing 
it in the logs and the webflow output endpoint.   I did some cleaning and 
tidying to get a more readable output from the logs. No problem to add 
actions to 'realSubmit' state, using something very alike to 
"https://apereo.github.io/cas/6.5.x/webflow/Webflow-Customization-Extensions.html";
   Are they some restrictions on what can be accessed with the groovy webflow 
extensions ?   In the same way, I still don't understand how to get a reference 
to the mfa-provider. I had a look at 
"core/cas-server-core-web-api/src/main/java/org/apereo/cas/web/support/WebUtils.java"
 and it seems " getMultifactorAuthenticationProviderById" should be userful, 
but I don't knwo what to use as 'context' when trying to call it from the 
groovy script.   I will have a closer look to your class, especially try to 
understant how to use it.   Regards 

Le 06-Sep-2023 19:02:50 +0200, r...@uvic.ca a crit: 
 These should help https://fawnoos.com/2021/08/20/cas64-webflow-extensions/ 
https://fawnoos.com/2022/04/21/cas66-webflow-groovy-actions/   I have a helper 
class that can print out the flow 
https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74   Ray   On 
Wed, 2023-09-06 at 14:46 +0200, spfma.tech via CAS Community wrote: 
 Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.Hi,   I 
spent some time studying your script and I think I will follow this way. But I 
am having hard times gathering informations to write the script I need.   Here 
is what I am trying to do : now 'mfa-gauth' is working, I would like to 
"harden" it a little bit, as I think the authenticator registration procedure 
is too open by default (someone who managed to steal a password can register 
his own if he is faster than the account owner. So unsecure access should not 
be possible if no device has been registered in a safer way before).   I would 
like to alter the webflow in order to display a warning message if the user has 
not registered at least one authenticator already and is not coming from a 
trusted network, then move to a failed state.   I have spent a lot of time 
studying logfiles to understand how states and transitions are interacting, and 
I think I have to either modify "mfa-gauth" state in "login" webflow, or the 
"mfa-gauth" weblow iself as it is called as a subflow.   But I have no idea how 
to address another flow that "login", if and how I can query 'mfa-gauth' 
backend to check if there are some registered authenticators, or how to display 
and extra views.   Do you know where I could find informations and clues about 
this ? In fact I don't even know what namespaces are available in the script.   
Regards   

Le 25-Jul-2023 16:15:39 +0200, jbanner6...@gmail.com a crit: 
 Maybe Misagh could put in his thoughts on this, but I would argue the opposite 
is more true in fact, having custom java code and having to register, etc.. 
rely's on way MORE base code in cas then the groovy methods. If you take a look 
at the way groovy scripts are written in cas it is mainly a simple execute 
groovy method passing the parameters and just reading the results. That code 
itself doesn't change much, we had thousands of lines of custom java code 
before the 6.x days, for all kinds of things. Now we maintain 2 individual java 
class files and working to get those changes pushed into cas, just need to 
write the test cases and scenarios.   One of the benefits to using groovy is 
the no compile time, they don't need to be compiled with your overlay! most if 
not all groovy scripts are reloaded on demand, when changed and take affect 
immediately with no restarts which makes a huge difference.   Not sure why the 
other posters simple-mfa wouldnt work but works no problem for us, it could be 
the trigger type being used, there is the 
cas.authn.mfa.core.provider-selector-groovy-script and what we use, 
cas.authn.mfa.groovy-script and we have some vendors/external services that use 
database auth and mfa is fine, we also use surrogate and in our groovy we have 
parts written to either bypass/force for surrogate situations.   We have been 
using CAS since the 3.x days and when groovy webflow came along, it was a 
blessing!! It is s much easier to maintain then custom java code. See the 
attached, this is one of about 4 different flow modifiers, using the 
"properties" in a service definition, we utilize this flow to inject custom 
post fields for services that require a POST response instead of REDIRECT.   I 
think, in my opinion, groovy is way more sustainable to maintain then the 
other.   Thanks, JohnOn Tuesday, July 25, 2023 at 7:18:07 AM UTC-5 
spfma...@e.mail.fr wrote: 
 Hi, Thanks for your r