Problem to catch handler by service 6.3.x ?

[artur miś]

Hello,

 I decided to create new thread becouse is could be general problem in cas 6.3.x  or  i ' belive that that is bug : "Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead"

I  have   easy service like  and i have made 3 tests bellow,

A-TEST. ( according to :https://apereo.github.io/cas/6.3.x/services/Configuring-Service-AuthN-Policy.html)

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(http|https)://example.org/casphp*",
"name": "Test",
"id": 1,
"description": "Straggle Today!",
"authenticationPolicy": {
        "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]],
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
        "criteria": {
         "@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
            }
        }
}

hashed conf line bellow

#cas.authn.policy.required-handler-authentication-policy-enabled=true

With this seeting i was trying so any time( 3 or 5)   reload cas  as Cas used ppm handler  as  first handler  to examine  and user was logged to service   . In logs  i cant see any check that for service  example.org  schoud be launched with  everest handler.  So conclusion is i have to use :  cas.authn.policy.required-handler-authentication-policy-enable=true . Or  how to do it personalized in service ??

B -TEST.

i enabled line:

cas.authn.policy.required-handler-authentication-policy-enabled=true

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(http|https)://example.org/casphp*",
"name": "Test",
"id": 1,
"description": "Straggle Today!",
"authenticationPolicy": {
        "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]],
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
        }
}

In this case  if  Examination handlers start from ppm handler,  auth are accepted  but:

cas.authn.policy.required-handler-authentication-policy-enabled  keep user not loged becouse  ppm handler is not for service example.org. But Cas didn't even tryied  everest.

IT is look like requiredAuthenticationHandlers works  but

cas.authn.policy.required-handler-authentication-policy-enabled=true.

C-TEST with tryALL policy.

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(http|https)://example.org/casphp*",
"name": "Test",
"id": 1,
"description": "Straggle Today!",
"authenticationPolicy": {
        "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]],
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
        "tryAll": true, <- this shoud try all services to achive  equiredAuthenticationHandlers ??
        "criteria": {
         "@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
            }
        }
}

hashed

#cas.authn.policy.required-handler-authentication-policy-enabled=true

If ppm handler is used  by cas  during examination  , everest wasnt  tried by cas.

For tree cases i see smth like this:

2021-12-06 11:05:17,655 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication credentials provided for this transaction are [[UsernamePasswordCredential(username=kowalski, source=null, customFields={})]]>

2021-12-06 11:05:17,658 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Candidate/Registered authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@62de73eb, org.apereo.cas.authentication.LdapAuthenticationHandler@4b50c21,  org.apereo.cas.authentication.LdapAuthenticationHandler@1e95f584, org.apereo.cas.authentication.LdapAuthenticationHandler@69de72ec]]>

* above it is 3 handlers list , i have 3 in cas.propierties *

2021-12-06 11:05:17,658 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers for this transaction are [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a562255]]>

2021-12-06 11:05:17,668 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead...>

2021-12-06 11:05:17,669 DEBUG [org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,everest,everest_365,ppm]>

Let's assume I see that  i have in log :

"Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead"

Why doesn't  cas see canditade   auth hander   ? Mayby that is connectet with my general problem how shoud i atache the handler to service  ( durgin  one user has privilages in two handles ) .  

AM