subject:"\[cas\-user\] Re\: SPNEGO Client Selection Strategy"

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-28 Thread Charles Le Gallic

Hi,

I'm glad to see that you confirm the bug. I'll try to make a Pull Request, 
but I need to setup a full CAS dev env before.

Regards,

Charles


Le mercredi 23 mai 2018 18:59:17 UTC+2, Christian Poirier a écrit :
>
> I think I know what you mean by "is buggy". I check the code and it misses 
> something. The webflow is not configured correctly even if you configure to 
> use hostname filter and/or IP address filter. It just jumps directly to 
> SPNEGO negotiate transition. I corrected this with the changes I made to 
> the code. There was no way to choose to go directly to SPNEGO or evaluate 
> the client before starts SPNEGO.
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-23 1:58 GMT-04:00 Charles Le Gallic  >:
>
>> Ok thanks. Let me know if you can confirm that current native 
>> implementation is buggy.
>>
>> Regards,
>>
>> Charles
>>
>> 
>> 12, impasse du Malrigou, 31140 Montberon 
>> 
>> con...@amoae.com  | 06 24 73 04 98 | *amoae.com* 
>> 
>>
>>
>> Le mer. 23 mai 2018 à 04:46, Christian Poirier > > a écrit :
>>
>>> Hi Charles
>>>
>>> Yes I did, but with my own development and my properties. I will check 
>>> if I can implement with Client Access Strategy by implementing my own 
>>> SPNEGO Service Access Strategy
>>>
>>> Christian Poirier
>>> Mobile: 418-473-2824
>>>
>>> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic >> >:
>>>
 Hi Christian,

 Did you achieved to make IP based SPNEGO client selection works on CAS 
 5.x ?

 In that case, is there any other configuration to setup in addition to 
 cas.properties configuration ?

 Regards,

 Charles

 
 12, impasse du Malrigou, 31140 Montberon 
 
 con...@amoae.com  | 06 24 73 04 98 | *amoae.com* 
 


 Le ven. 18 mai 2018 à 14:14, Christian Poirier  a écrit :

> Hi Charles
>
> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. 
> The webflow logic is built in the code.
> I will check if the implementation based on a 
> RegisteredServiceAccessStrategy is possible.
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic  >:
>
>> Hi Christian,
>>
>> Which version of CAS do you use ?
>>
>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML 
>> spring configurations). SPNEGO client selection strategy was working on 
>> 4.x 
>> version, but I cannot make it work after having upgrade to CAS 5.1.x
>>
>> Regards,
>>
>> Charles
>>
>> 
>> 12, impasse du Malrigou, 31140 Montberon 
>> 
>> con...@amoae.com  | 06 24 73 04 98 | *amoae.com* 
>> 
>>
>>
>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier > > a écrit :
>>
>>> Hi Nicolas,
>>>
>>> In our organization, we need to let the user choose between the 
>>> default login and SPNEGO upon a list of criteria and sometimes we need 
>>> to 
>>> go directly to the SPNEGO authentication upon other criteria. For this 
>>> feature, I extended the SPNEGO module. I show a button with the label 
>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular 
>>> expression. When the service matches a regular expression and the IP 
>>> address also matches its regular expression, I force SPNEGO 
>>> authentication 
>>> without giving the user the chance to authenticate otherwise. If none 
>>> of 
>>> the previous conditions are present, then the user must authenticate 
>>> normally with his user ID and password.
>>> If you look the following webflow, you will find this logic inside.
>>>
>>> >> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" 
>>> />
>>>
>>> 
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "hasServiceCheck" else="gatewayRequestCheck" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> ="viewGenericLoginSuccess" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> >> then="startAuthenticateCheck" else="generateServiceTicket" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>>   >> else="redirect" />
>>>
>>> 
>>>
>>>
>>>

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-23 Thread Christian Poirier

I think I know what you mean by "is buggy". I check the code and it misses
something. The webflow is not configured correctly even if you configure to
use hostname filter and/or IP address filter. It just jumps directly to
SPNEGO negotiate transition. I corrected this with the changes I made to
the code. There was no way to choose to go directly to SPNEGO or evaluate
the client before starts SPNEGO.

Christian Poirier
Mobile: 418-473-2824

2018-05-23 1:58 GMT-04:00 Charles Le Gallic :

> Ok thanks. Let me know if you can confirm that current native
> implementation is buggy.
>
> Regards,
>
> Charles
>
> 
> 12, impasse du Malrigou, 31140 Montberon
> 
> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>
>
> Le mer. 23 mai 2018 à 04:46, Christian Poirier  a
> écrit :
>
>> Hi Charles
>>
>> Yes I did, but with my own development and my properties. I will check if
>> I can implement with Client Access Strategy by implementing my own SPNEGO
>> Service Access Strategy
>>
>> Christian Poirier
>> Mobile: 418-473-2824
>>
>> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic :
>>
>>> Hi Christian,
>>>
>>> Did you achieved to make IP based SPNEGO client selection works on CAS
>>> 5.x ?
>>>
>>> In that case, is there any other configuration to setup in addition to
>>> cas.properties configuration ?
>>>
>>> Regards,
>>>
>>> Charles
>>>
>>> 
>>> 12, impasse du Malrigou, 31140 Montberon
>>> 
>>> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>>>
>>>
>>> Le ven. 18 mai 2018 à 14:14, Christian Poirier  a
>>> écrit :
>>>
 Hi Charles

 I am using the 5.3.0-RC3. I illustrated the webflow to see the logic.
 The webflow logic is built in the code.
 I will check if the implementation based on a
 RegisteredServiceAccessStrategy is possible.

 Christian Poirier
 Mobile: 418-473-2824

 2018-05-18 1:28 GMT-04:00 Charles Le Gallic :

> Hi Christian,
>
> Which version of CAS do you use ?
>
> It seems to be a version below CAS 5.0.x (org.jasig packages and XML
> spring configurations). SPNEGO client selection strategy was working on 
> 4.x
> version, but I cannot make it work after having upgrade to CAS 5.1.x
>
> Regards,
>
> Charles
>
> 
> 12, impasse du Malrigou, 31140 Montberon
> 
> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>
>
> Le jeu. 17 mai 2018 à 15:25, Christian Poirier 
> a écrit :
>
>> Hi Nicolas,
>>
>> In our organization, we need to let the user choose between the
>> default login and SPNEGO upon a list of criteria and sometimes we need to
>> go directly to the SPNEGO authentication upon other criteria. For this
>> feature, I extended the SPNEGO module. I show a button with the label
>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
>> expression. When the service matches a regular expression and the IP
>> address also matches its regular expression, I force SPNEGO 
>> authentication
>> without giving the user the chance to authenticate otherwise. If none of
>> the previous conditions are present, then the user must authenticate
>> normally with his user ID and password.
>> If you look the following webflow, you will find this logic inside.
>>
>> 
>>
>> 
>>
>> 
>>
>>
>>
>> 
>>
>>
>> 
>>
>>   > "hasServiceCheck" else="gatewayRequestCheck" />
>>
>> 
>>
>>
>> 
>>
>>   
>>
>> 
>>
>>
>> 
>>
>>   > "viewGenericLoginSuccess" />
>>
>> 
>>
>>
>> 
>>
>> > then="startAuthenticateCheck" else="generateServiceTicket" />
>>
>> 
>>
>>
>> 
>>
>> 
>>
>>   > else="redirect" />
>>
>> 
>>
>>
>> 
>>
>> 
>>
>>   > then="generateLoginTicket" else="spnegoForceCheckAction" />
>>
>> 
>>
>>
>> 
>>
>>
>>
>> 
>>
>>
>> 
>>
>>
>>
>>
>>
>>   
>>
>> 
>>
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>>
>>   
>>
>>   
>>
>> 
>>
>>
>> 
>>
>>
>>
>> 
>>
>>  
>>
>> 
>>
>>
>> 
>>
>>   
>>
>>   
>>
>> 
>>
>>
>> 
>>
>>  
>>
>>

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-22 Thread Charles Le Gallic

Ok thanks. Let me know if you can confirm that current native
implementation is buggy.

Regards,

Charles


12, impasse du Malrigou, 31140 Montberon
cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 


Le mer. 23 mai 2018 à 04:46, Christian Poirier  a
écrit :

> Hi Charles
>
> Yes I did, but with my own development and my properties. I will check if
> I can implement with Client Access Strategy by implementing my own SPNEGO
> Service Access Strategy
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic :
>
>> Hi Christian,
>>
>> Did you achieved to make IP based SPNEGO client selection works on CAS
>> 5.x ?
>>
>> In that case, is there any other configuration to setup in addition to
>> cas.properties configuration ?
>>
>> Regards,
>>
>> Charles
>>
>> 
>> 12, impasse du Malrigou, 31140 Montberon
>> 
>> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>>
>>
>> Le ven. 18 mai 2018 à 14:14, Christian Poirier  a
>> écrit :
>>
>>> Hi Charles
>>>
>>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic.
>>> The webflow logic is built in the code.
>>> I will check if the implementation based on a
>>> RegisteredServiceAccessStrategy is possible.
>>>
>>> Christian Poirier
>>> Mobile: 418-473-2824
>>>
>>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic :
>>>
 Hi Christian,

 Which version of CAS do you use ?

 It seems to be a version below CAS 5.0.x (org.jasig packages and XML
 spring configurations). SPNEGO client selection strategy was working on 4.x
 version, but I cannot make it work after having upgrade to CAS 5.1.x

 Regards,

 Charles

 
 12, impasse du Malrigou, 31140 Montberon
 
 cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 


 Le jeu. 17 mai 2018 à 15:25, Christian Poirier 
 a écrit :

> Hi Nicolas,
>
> In our organization, we need to let the user choose between the
> default login and SPNEGO upon a list of criteria and sometimes we need to
> go directly to the SPNEGO authentication upon other criteria. For this
> feature, I extended the SPNEGO module. I show a button with the label
> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
> expression. When the service matches a regular expression and the IP
> address also matches its regular expression, I force SPNEGO authentication
> without giving the user the chance to authenticate otherwise. If none of
> the previous conditions are present, then the user must authenticate
> normally with his user ID and password.
> If you look the following webflow, you will find this logic inside.
>
>  "org.jasig.cas.authentication.principal.UsernamePasswordCredentials"
> />
>
> 
>
> 
>
>
>
> 
>
>
> 
>
>    "hasServiceCheck" else="gatewayRequestCheck" />
>
> 
>
>
> 
>
>    "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>
> 
>
>
> 
>
>    "viewGenericLoginSuccess" />
>
> 
>
>
> 
>
>  ="startAuthenticateCheck" else="generateServiceTicket" />
>
> 
>
>
> 
>
> 
>
>    ="redirect" />
>
> 
>
>
> 
>
> 
>
>    then="generateLoginTicket" else="spnegoForceCheckAction" />
>
> 
>
>
> 
>
> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>
> 
>
>
> 
>
>
>
>
>
>   
>
> 
>
>
> 
>
> 
>
> 
>
> 
>
>
>   
>
>   
>
> 
>
>
> 
>
>
>
> 
>
>  
>
> 
>
>
> 
>
>   
>
>   
>
> 
>
>
> 
>
>  
>
>
>
>   
>
> 
>
>
> 
>
>  "generateLoginTicketAction.generate(flowRequestContext)" />
>
>
>
> 
>
>
> Here are my new spnego.properties
> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
> SPNEGO by changing the succes transition of initialLoginForm action-state
> to startSpnegoAuthenticate
> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate
> the client based on the client action strategy defined in 
> evaluateClientActionStrategy.
>
> #

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-22 Thread Christian Poirier

Hi Charles

Yes I did, but with my own development and my properties. I will check if I
can implement with Client Access Strategy by implementing my own SPNEGO
Service Access Strategy

Christian Poirier
Mobile: 418-473-2824

2018-05-22 1:58 GMT-04:00 Charles Le Gallic :

> Hi Christian,
>
> Did you achieved to make IP based SPNEGO client selection works on CAS 5.x
> ?
>
> In that case, is there any other configuration to setup in addition to
> cas.properties configuration ?
>
> Regards,
>
> Charles
>
> 
> 12, impasse du Malrigou, 31140 Montberon
> 
> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>
>
> Le ven. 18 mai 2018 à 14:14, Christian Poirier  a
> écrit :
>
>> Hi Charles
>>
>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The
>> webflow logic is built in the code.
>> I will check if the implementation based on a
>> RegisteredServiceAccessStrategy is possible.
>>
>> Christian Poirier
>> Mobile: 418-473-2824
>>
>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic :
>>
>>> Hi Christian,
>>>
>>> Which version of CAS do you use ?
>>>
>>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML
>>> spring configurations). SPNEGO client selection strategy was working on 4.x
>>> version, but I cannot make it work after having upgrade to CAS 5.1.x
>>>
>>> Regards,
>>>
>>> Charles
>>>
>>> 
>>> 12, impasse du Malrigou, 31140 Montberon
>>> 
>>> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>>>
>>>
>>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier  a
>>> écrit :
>>>
 Hi Nicolas,

 In our organization, we need to let the user choose between the default
 login and SPNEGO upon a list of criteria and sometimes we need to go
 directly to the SPNEGO authentication upon other criteria. For this
 feature, I extended the SPNEGO module. I show a button with the label
 "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
 expression. When the service matches a regular expression and the IP
 address also matches its regular expression, I force SPNEGO authentication
 without giving the user the chance to authenticate otherwise. If none of
 the previous conditions are present, then the user must authenticate
 normally with his user ID and password.
 If you look the following webflow, you will find this logic inside.

 

 

 



 


 

   >>> "hasServiceCheck" else="gatewayRequestCheck" />

 


 

   

 


 

   >>> "viewGenericLoginSuccess" />

 


 

 >>> "startAuthenticateCheck" else="generateServiceTicket" />

 


 

 

   >>> "redirect" />

 


 

 

   >>> ="generateLoginTicket" else="spnegoForceCheckAction" />

 


 



 


 





   

 


 

 

 

 


   

   

 


 



 

  

 


 

   

   

 


 

  



   

 


 

 



 


 Here are my new spnego.properties
 # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
 SPNEGO by changing the succes transition of initialLoginForm action-state
 to startSpnegoAuthenticate
 # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate
 the client based on the client action strategy defined in
 evaluateClientActionStrategy.
 # It changes the
 success transition of initialLoginForm action-state to 
 evaluateClientRequest
 cas.authn.spnego.spnegoMode=evaluateClient|direct
 # The following property is deprecated
 #cas.authn.spnego.hostNameClientActionStrategy=
 serviceNameSpnegoClientAction
 # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
 where CAS checks to see if the request?s remote hostname matches a
 predefine pattern
 # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
 where CAS checks an LDAP instance for the remote hostname,
 #
  to locate a pre-defined attribute whose mere existence would allow
 the webflow to resume to SPNEGO
 # 
 cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-21 Thread Charles Le Gallic

Hi Christian,

Did you achieved to make IP based SPNEGO client selection works on CAS 5.x ?

In that case, is there any other configuration to setup in addition to
cas.properties configuration ?

Regards,

Charles


12, impasse du Malrigou, 31140 Montberon
cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 


Le ven. 18 mai 2018 à 14:14, Christian Poirier  a
écrit :

> Hi Charles
>
> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The
> webflow logic is built in the code.
> I will check if the implementation based on a
> RegisteredServiceAccessStrategy is possible.
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic :
>
>> Hi Christian,
>>
>> Which version of CAS do you use ?
>>
>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML
>> spring configurations). SPNEGO client selection strategy was working on 4.x
>> version, but I cannot make it work after having upgrade to CAS 5.1.x
>>
>> Regards,
>>
>> Charles
>>
>> 
>> 12, impasse du Malrigou, 31140 Montberon
>> 
>> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>>
>>
>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier  a
>> écrit :
>>
>>> Hi Nicolas,
>>>
>>> In our organization, we need to let the user choose between the default
>>> login and SPNEGO upon a list of criteria and sometimes we need to go
>>> directly to the SPNEGO authentication upon other criteria. For this
>>> feature, I extended the SPNEGO module. I show a button with the label
>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
>>> expression. When the service matches a regular expression and the IP
>>> address also matches its regular expression, I force SPNEGO authentication
>>> without giving the user the chance to authenticate otherwise. If none of
>>> the previous conditions are present, then the user must authenticate
>>> normally with his user ID and password.
>>> If you look the following webflow, you will find this logic inside.
>>>
>>> >> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
>>>
>>> 
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "hasServiceCheck" else="gatewayRequestCheck" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "viewGenericLoginSuccess" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> >> "startAuthenticateCheck" else="generateServiceTicket" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>>   >> "redirect" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>>   >> "generateLoginTicket" else="spnegoForceCheckAction" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>
>>>
>>>
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>> 
>>>
>>> 
>>>
>>>
>>>   
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>  
>>>
>>>
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> >> "generateLoginTicketAction.generate(flowRequestContext)" />
>>>
>>>
>>>
>>> 
>>>
>>>
>>> Here are my new spnego.properties
>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
>>> SPNEGO by changing the succes transition of initialLoginForm action-state
>>> to startSpnegoAuthenticate
>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the
>>> client based on the client action strategy defined in 
>>> evaluateClientActionStrategy.
>>>
>>> # It changes the
>>> success transition of initialLoginForm action-state to evaluateClientRequest
>>> cas.authn.spnego.spnegoMode=evaluateClient|direct
>>> # The following property is deprecated
>>>
>>> #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
>>> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
>>> where CAS checks to see if the request?s remote hostname matches a
>>> predefine pattern
>>> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
>>> where CAS checks an LDAP instance for the remote hostname,
>>> #
>>>to locate a pre-defined attribute whose mere existence would allow
>>> the webflow to resume to SPNEGO
>>> # 
>>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
>>> where CAS checks if the service corresponds to a regularExpression
>>> #defined in
>>> serviceNamePatternString and the ip corresponds to ipsToCheckPattern
>>> implemented
>>> #in baseSpnegoClientAction
>>> cas.authn.spnego.evaluateClientActionStrategy=
>>>

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-21 Thread Nicholas Wylie

Thanks Charles & Christian.

It sounds like getting this working is going to be a bit more involved than 
I imaged! I will have to try and have a better look at it when we have a 
bit more time.

On Friday, May 18, 2018 at 10:14:12 PM UTC+10, Christian Poirier wrote:
>
> Hi Charles
>
> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The 
> webflow logic is built in the code.
> I will check if the implementation based on a 
> RegisteredServiceAccessStrategy is possible.
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic  >:
>
>> Hi Christian,
>>
>> Which version of CAS do you use ?
>>
>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML 
>> spring configurations). SPNEGO client selection strategy was working on 4.x 
>> version, but I cannot make it work after having upgrade to CAS 5.1.x
>>
>> Regards,
>>
>> Charles
>>
>> 
>> 12, impasse du Malrigou, 31140 Montberon 
>> 
>> con...@amoae.com  | 06 24 73 04 98 | *amoae.com* 
>> 
>>
>>
>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier > > a écrit :
>>
>>> Hi Nicolas,
>>>
>>> In our organization, we need to let the user choose between the default 
>>> login and SPNEGO upon a list of criteria and sometimes we need to go 
>>> directly to the SPNEGO authentication upon other criteria. For this 
>>> feature, I extended the SPNEGO module. I show a button with the label 
>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular 
>>> expression. When the service matches a regular expression and the IP 
>>> address also matches its regular expression, I force SPNEGO authentication 
>>> without giving the user the chance to authenticate otherwise. If none of 
>>> the previous conditions are present, then the user must authenticate 
>>> normally with his user ID and password.
>>> If you look the following webflow, you will find this logic inside.
>>>
>>> >> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
>>>
>>> 
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "hasServiceCheck" else="gatewayRequestCheck" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   >> "viewGenericLoginSuccess" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> >> "startAuthenticateCheck" else="generateServiceTicket" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>>   >> "redirect" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>>   >> "generateLoginTicket" else="spnegoForceCheckAction" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>
>>>
>>>
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> 
>>>
>>> 
>>>
>>>
>>>   
>>>
>>>   
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>   
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>>  
>>>
>>>
>>>
>>>   
>>>
>>> 
>>>
>>>
>>> 
>>>
>>> >> "generateLoginTicketAction.generate(flowRequestContext)" />
>>>
>>>
>>>
>>> 
>>>
>>>
>>> Here are my new spnego.properties
>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the 
>>> SPNEGO by changing the succes transition of initialLoginForm action-state 
>>> to startSpnegoAuthenticate
>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the 
>>> client based on the client action strategy defined in 
>>> evaluateClientActionStrategy. 
>>>
>>> # It changes the 
>>> success transition of initialLoginForm action-state to evaluateClientRequest
>>> cas.authn.spnego.spnegoMode=evaluateClient|direct
>>> # The following property is deprecated
>>>
>>> #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
>>> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction 
>>> where CAS checks to see if the request?s remote hostname matches a 
>>> predefine pattern
>>> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction 
>>> where CAS checks an LDAP instance for the remote hostname, 
>>> #
>>>to locate a pre-defined attribute whose mere existence would allow 
>>> the webflow to resume to SPNEGO
>>> # 
>>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction 
>>> where CAS checks if the service corresponds to a regularExpression
>>> #defined in 
>>> serviceNamePatternString and the ip corresponds to ipsToCheckPattern 
>>> implemented
>>> #in baseSpnegoClientAction
>>> cas.authn.spnego.evaluateClientActionStrategy=
>>> serviceNameSpnegoClientAction
>>>

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-18 Thread Christian Poirier

Hi Charles

I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The
webflow logic is built in the code.
I will check if the implementation based on a
RegisteredServiceAccessStrategy is possible.

Christian Poirier
Mobile: 418-473-2824

2018-05-18 1:28 GMT-04:00 Charles Le Gallic :

> Hi Christian,
>
> Which version of CAS do you use ?
>
> It seems to be a version below CAS 5.0.x (org.jasig packages and XML
> spring configurations). SPNEGO client selection strategy was working on 4.x
> version, but I cannot make it work after having upgrade to CAS 5.1.x
>
> Regards,
>
> Charles
>
> 
> 12, impasse du Malrigou, 31140 Montberon
> 
> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>
>
> Le jeu. 17 mai 2018 à 15:25, Christian Poirier  a
> écrit :
>
>> Hi Nicolas,
>>
>> In our organization, we need to let the user choose between the default
>> login and SPNEGO upon a list of criteria and sometimes we need to go
>> directly to the SPNEGO authentication upon other criteria. For this
>> feature, I extended the SPNEGO module. I show a button with the label
>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
>> expression. When the service matches a regular expression and the IP
>> address also matches its regular expression, I force SPNEGO authentication
>> without giving the user the chance to authenticate otherwise. If none of
>> the previous conditions are present, then the user must authenticate
>> normally with his user ID and password.
>> If you look the following webflow, you will find this logic inside.
>>
>> 
>>
>> 
>>
>> 
>>
>>
>>
>> 
>>
>>
>> 
>>
>>   > "hasServiceCheck" else="gatewayRequestCheck" />
>>
>> 
>>
>>
>> 
>>
>>   
>>
>> 
>>
>>
>> 
>>
>>   > "viewGenericLoginSuccess" />
>>
>> 
>>
>>
>> 
>>
>> > "startAuthenticateCheck" else="generateServiceTicket" />
>>
>> 
>>
>>
>> 
>>
>> 
>>
>>   > "redirect" />
>>
>> 
>>
>>
>> 
>>
>> 
>>
>>   > "generateLoginTicket" else="spnegoForceCheckAction" />
>>
>> 
>>
>>
>> 
>>
>>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>>
>> 
>>
>>
>> 
>>
>>
>>
>>
>>
>>   
>>
>> 
>>
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>>
>>   
>>
>>   
>>
>> 
>>
>>
>> 
>>
>>
>>
>> 
>>
>>  
>>
>> 
>>
>>
>> 
>>
>>   
>>
>>   
>>
>> 
>>
>>
>> 
>>
>>  
>>
>>
>>
>>   
>>
>> 
>>
>>
>> 
>>
>> 
>>
>>
>>
>> 
>>
>>
>> Here are my new spnego.properties
>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
>> SPNEGO by changing the succes transition of initialLoginForm action-state
>> to startSpnegoAuthenticate
>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the
>> client based on the client action strategy defined in
>> evaluateClientActionStrategy.
>> # It changes the
>> success transition of initialLoginForm action-state to evaluateClientRequest
>> cas.authn.spnego.spnegoMode=evaluateClient|direct
>> # The following property is deprecated
>> #cas.authn.spnego.hostNameClientActionStrategy=
>> serviceNameSpnegoClientAction
>> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
>> where CAS checks to see if the request?s remote hostname matches a
>> predefine pattern
>> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
>> where CAS checks an LDAP instance for the remote hostname,
>> #
>>to locate a pre-defined attribute whose mere existence would allow
>> the webflow to resume to SPNEGO
>> # cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
>> where CAS checks if the service corresponds to a regularExpression
>> #defined in
>> serviceNamePatternString and the ip corresponds to ipsToCheckPattern
>> implemented
>> #in baseSpnegoClientAction
>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpn
>> egoClientAction
>> cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}
>> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.
>> domain\.ca)
>>
>>
>> It works well for me. If you want it, I could send you the code.
>>
>> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit :
>>>
>>> Hi CAS Community,
>>>
>>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication
>>> against our Active Directory.
>>>
>>> What we have noticed though is that non-domain joined computers see a
>>> pop-up prompt for credentials when they visit the CAS login page. From my
>>> reading, I believe we can fix this by configuring the LDAP Client Selection
>>> Strategy for SPNEGO, but the documentation for which properties need to be
>>> configured seems to be a bit scarce.
>>>
>>> Can someone offer any guidance (or a link to

Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-17 Thread Charles Le Gallic

Hi Christian,

Which version of CAS do you use ?

It seems to be a version below CAS 5.0.x (org.jasig packages and XML spring
configurations). SPNEGO client selection strategy was working on 4.x
version, but I cannot make it work after having upgrade to CAS 5.1.x

Regards,

Charles


12, impasse du Malrigou, 31140 Montberon
cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 


Le jeu. 17 mai 2018 à 15:25, Christian Poirier  a
écrit :

> Hi Nicolas,
>
> In our organization, we need to let the user choose between the default
> login and SPNEGO upon a list of criteria and sometimes we need to go
> directly to the SPNEGO authentication upon other criteria. For this
> feature, I extended the SPNEGO module. I show a button with the label
> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
> expression. When the service matches a regular expression and the IP
> address also matches its regular expression, I force SPNEGO authentication
> without giving the user the chance to authenticate otherwise. If none of
> the previous conditions are present, then the user must authenticate
> normally with his user ID and password.
> If you look the following webflow, you will find this logic inside.
>
>  "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
>
> 
>
> 
>
>
>
> 
>
>
> 
>
>"hasServiceCheck" else="gatewayRequestCheck" />
>
> 
>
>
> 
>
>"gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>
> 
>
>
> 
>
>"viewGenericLoginSuccess" />
>
> 
>
>
> 
>
>  "startAuthenticateCheck" else="generateServiceTicket" />
>
> 
>
>
> 
>
> 
>
>"redirect" />
>
> 
>
>
> 
>
> 
>
>"generateLoginTicket" else="spnegoForceCheckAction" />
>
> 
>
>
> 
>
> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>
> 
>
>
> 
>
>
>
>
>
>   
>
> 
>
>
> 
>
> 
>
> 
>
> 
>
>
>   
>
>   
>
> 
>
>
> 
>
>
>
> 
>
>  
>
> 
>
>
> 
>
>   
>
>   
>
> 
>
>
> 
>
>  
>
>
>
>   
>
> 
>
>
> 
>
>  "generateLoginTicketAction.generate(flowRequestContext)" />
>
>
>
> 
>
>
> Here are my new spnego.properties
> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
> SPNEGO by changing the succes transition of initialLoginForm action-state
> to startSpnegoAuthenticate
> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the
> client based on the client action strategy defined in 
> evaluateClientActionStrategy.
>
> # It changes the
> success transition of initialLoginForm action-state to evaluateClientRequest
> cas.authn.spnego.spnegoMode=evaluateClient|direct
> # The following property is deprecated
>
> #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
> where CAS checks to see if the request?s remote hostname matches a
> predefine pattern
> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
> where CAS checks an LDAP instance for the remote hostname,
> #
>  to locate a pre-defined attribute whose mere existence would allow the
> webflow to resume to SPNEGO
> # cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
> where CAS checks if the service corresponds to a regularExpression
> #defined in
> serviceNamePatternString and the ip corresponds to ipsToCheckPattern
> implemented
> #in baseSpnegoClientAction
> cas.authn.spnego.evaluateClientActionStrategy=
> serviceNameSpnegoClientAction
> cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}
>
> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca)
>
>
> It works well for me. If you want it, I could send you the code.
>
> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit :
>>
>> Hi CAS Community,
>>
>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication
>> against our Active Directory.
>>
>> What we have noticed though is that non-domain joined computers see a
>> pop-up prompt for credentials when they visit the CAS login page. From my
>> reading, I believe we can fix this by configuring the LDAP Client Selection
>> Strategy for SPNEGO, but the documentation for which properties need to be
>> configured seems to be a bit scarce.
>>
>> Can someone offer any guidance (or a link to some documentation) as to
>> which properties I need to configure to use the LDAP Client Selection
>> Strategy?
>>
>> Thanks,
>> Nicholas
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.

[cas-user] Re: SPNEGO Client Selection Strategy

2018-05-17 Thread Christian Poirier

Hi Nicolas,

In our organization, we need to let the user choose between the default 
login and SPNEGO upon a list of criteria and sometimes we need to go 
directly to the SPNEGO authentication upon other criteria. For this 
feature, I extended the SPNEGO module. I show a button with the label 
"LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular 
expression. When the service matches a regular expression and the IP 
address also matches its regular expression, I force SPNEGO authentication 
without giving the user the chance to authenticate otherwise. If none of 
the previous conditions are present, then the user must authenticate 
normally with his user ID and password.
If you look the following webflow, you will find this logic inside.







   






  






  






  















  








  






   






   

   

  










   
  

  

  






   



 






  

  






 

   

  








   




Here are my new spnego.properties
# cas.authn.spnego.spnegoMode=direct: indicates to go directly to the 
SPNEGO by changing the succes transition of initialLoginForm action-state 
to startSpnegoAuthenticate
# cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the 
client based on the client action strategy defined in 
evaluateClientActionStrategy. 

# It changes the 
success transition of initialLoginForm action-state to evaluateClientRequest
cas.authn.spnego.spnegoMode=evaluateClient|direct
# The following property is deprecated
#cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
# cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction 
where CAS checks to see if the request?s remote hostname matches a 
predefine pattern
# cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction 
where CAS checks an LDAP instance for the remote hostname, 
#  
 to locate a pre-defined attribute whose mere existence would allow the 
webflow to resume to SPNEGO
# cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction 
where CAS checks if the service corresponds to a regularExpression
#defined in 
serviceNamePatternString and the ip corresponds to ipsToCheckPattern 
implemented
#in baseSpnegoClientAction
cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}
cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca)


It works well for me. If you want it, I could send you the code.

Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit :
>
> Hi CAS Community,
>
> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication 
> against our Active Directory.
>
> What we have noticed though is that non-domain joined computers see a 
> pop-up prompt for credentials when they visit the CAS login page. From my 
> reading, I believe we can fix this by configuring the LDAP Client Selection 
> Strategy for SPNEGO, but the documentation for which properties need to be 
> configured seems to be a bit scarce.
>
> Can someone offer any guidance (or a link to some documentation) as to 
> which properties I need to configure to use the LDAP Client Selection 
> Strategy?
>
> Thanks,
> Nicholas
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

[cas-user] Re: SPNEGO Client Selection Strategy

2018-05-17 Thread Charles Le Gallic

Hi Nicholas,

It's seems to me that Kerberos / SPNEGO client selection strategy is broken 
since Alfresco 5.0.x.

Indeed, there are several other messages in this discussion list referring 
to this problem : here 
,
 
here 

 
and here 
,
 
and I didn't achieved to make it work (IP based) in CAS 5.1.7 release.

SPNEGO Client Selection strategy setup is done in the 
SpengoWebflowConfigurer 

 
class, using the "cas.authn.spnego.hostNameClientActionStrategy" parameter 
value to set the strategy (default to "hostnameSpnegoClientAction"). You 
can use the "ldapSpnegoClientAction" value to use a LDAP Client Selection 
Strategy.

The problem is the Spring MVC Web Flow is configured for using the 
"START_SPNEGO_AUTHENTICATE" 
action state by default 
,
 
instead of the "EVALUATE_SPNEGO_CLIENT" action state (evaluateClientRequest) 

.

Therefore, the Client Selection Strategy is never applied. I didn't found 
any way to use CAS configuration properties to add the 
*evaluateClientRequest* action state before the *startSpnegoAuthenticate* 
state.

The only way to do this may be to overidde the 
CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM 
state (as done here 
)
 
in a custom bean and configure it to transition to the 
evaluateClientRequest state.

I may have missed something, and I hope a CAS Developer can clarify it.

Regards,

Charles






Le jeudi 17 mai 2018 07:47:54 UTC+2, Nicholas Wylie a écrit :
>
> Hi CAS Community,
>
> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication 
> against our Active Directory.
>
> What we have noticed though is that non-domain joined computers see a 
> pop-up prompt for credentials when they visit the CAS login page. From my 
> reading, I believe we can fix this by configuring the LDAP Client Selection 
> Strategy for SPNEGO, but the documentation for which properties need to be 
> configured seems to be a bit scarce.
>
> Can someone offer any guidance (or a link to some documentation) as to 
> which properties I need to configure to use the LDAP Client Selection 
> Strategy?
>
> Thanks,
> Nicholas
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f3f6c1a-5510-498d-afe6-ea478a2de75c%40apereo.org.

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

Re: [cas-user] Re: SPNEGO Client Selection Strategy

[cas-user] Re: SPNEGO Client Selection Strategy

[cas-user] Re: SPNEGO Client Selection Strategy

10 matches

Site Navigation

Mail list logo

Footer information