CAS 6.4.x bug: authentication handler called twice when using REST endpoint

[Damien Gibou]

  Hello,

We are trying to update from 6.3.7.1 to 6.4.3 and have identified what seems a regression.

Authentication handlers are called twice if using the REST API (whereas only once when loging in with the UI)

Reproduced with a minimal overlay with no specific customization (use of cas-server-support-saml + cas-server-support-rest + cas-server-support-json-service-registry in an overlay of  cas-server-webapp-jetty WAR / spring boot package and static auth cas.authn.accept.users=user::user )

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -i http://localhost/cas/v1/tickets --data 'username=user&password=user'

The log has duplicated lines [see below] showing that the authentication handler is called twice (and audit entries are generated twice, also).

   

Reproduced with 6.4.0-RC4, 6.4.0, 6.4.2 and 6.4.3 but not 6.4.0-RC1/RC2/RC3

  Damien

---------------------

2021-11-23 10:37:40,838 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - Authenticated principal [user] with attributes [{}] via credentials [[UsernamePasswordCredential(username=user, source=null, customFields={})]].

2021-11-23 10:37:40,838 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: user

WHAT: [UsernamePasswordCredential(username=user, source=null, customFields={})]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Tue Nov 23 10:37:40 CET 2021

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

2021-11-23 10:37:40,854 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - Authenticated principal [user] with attributes [{}] via credentials [[UsernamePasswordCredential(username=user, source=null, customFields={})]].

2021-11-23 10:37:40,854 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: user

WHAT: [UsernamePasswordCredential(username=user, source=null, customFields={})]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Tue Nov 23 10:37:40 CET 2021

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

2021-11-23 10:37:40,892 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: user

WHAT: TGT-1-*****nTHRzbxGTw-FRL012435

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Nov 23 10:37:40 CET 2021

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

2021-11-23 10:37:40,892 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: user

WHAT: {location=http://localhost:15446/cas/v1/tickets/TGT-1--GOVpcgd2ew2gc-JX5ZkxuxrVZYebA0-cqawxaTV9vZUcKA9YaVD95eOQnTHRzbxGTw-FRL012435, status=201-CREATED}

ACTION: REST_API_TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Nov 23 10:37:40 CET 2021

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

[Damien Gibou]

Hello,

The bug can still be reproduced with CAS 6.5.0-RC4. 

Anything I can do to help track/fix the regression ?

Damien

[Damien Gibou]

For information, the bug is not preset anymore in 6.5.5 (and 6.5.9)