CAS 5.2.2 Cannot get proxyGrantingTicket in validation response
509 views
Skip to first unread message
Christian Koehn
Mar 9, 2018, 1:35:11 PM3/9/18
to CAS Community
Hi,
After spending several hours of trial&error, reading documentation and googling around my last resort is to ask for help in this mail list.
I need to do proxy authentication, but as the CAS cannot directly access the application(s), I wanted to include the proxy granting ticket in the validation response as described here: https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html
The endpoint called is /p3/serviceValidate
The service config is:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://ckoewiki.dev.mydomain.com/bin/view",
"name" : "CKOE wiki",
"id" : 2,
"description" : "Only ckoe wiki auth with proxy",
"evaluationOrder" : 2,
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseProxyGrantingTicket" : true
},
"publicKey" : {
"@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
"location" : "file:/etc/cas/ubxnet.key",
"algorithm" : "RSA"
}
}
The response to the call I get is:
'cas:serviceResponse' => [
{
'cas:authenticationSuccess' => [
{
'cas:attributes' => [
{
'cas:successfulAuthenticationHandlers' => [
'LdapAuthenticationHandler'
],
'cas:authenticationMethod' => [
'LdapAuthenticationHandler'
],
'cas:authenticationDate' => [
'2018-03-09T16:49:17.305Z[UTC]'
],
'cas:isFromNewLogin' => [
'true'
],
'cas:longTermAuthenticationRequestTokenUsed' => [
'false'
],
'cas:credentialType' => [
'RememberMeUsernamePasswordCredential'
]
}
],
'cas:user' => [
'ckoe'
]
}
]
}
]
}
Debug output of the service validation call is:
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request does not specify a [TARGET] or request body is empty>
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@76db9e65[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@d4ecdb0[]]>
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://ckoewiki.dev.mydomain.com/bin/view]>
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Attempting to decode service ticket [ST-3-RDJ-XXX] to verify authenticity>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] - <Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name [DEFAULT]>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Activating expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket [TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] - <Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name [DEFAULT]>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Activating expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket [TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] - <Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name [DEFAULT]>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Activating expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket [TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,825 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Resolved service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]] from the authentication request>
2018-03-09 17:31:17,825 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Located registered service definition [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>] from [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]] to handle validation request>
2018-03-09 17:31:17,825 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Attribute policy [org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]]] is associated with service [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [christian.koehn]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <[DefaultPrincipalAttributesRepository] will return the collection of attributes directly associated with the principal object which are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [12] cached attributes for principal [christian.koehn] that are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}] for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process attributes for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Calculated attributes for release per the release policy are [[]]>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Original principal attributes available for selection of username attribute [uid] are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}].>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Located service [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>] in the registry. Attempting to resolve attributes for [christian.koehn]>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [christian.koehn]>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <[DefaultPrincipalAttributesRepository] will return the collection of attributes directly associated with the principal object which are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [12] cached attributes for principal [christian.koehn] that are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}] for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process attributes for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-03-09 17:31:17,832 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-03-09 17:31:17,832 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-03-09 17:31:17,832 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Attributes resolved by the release policy available for selection of username attribute [uid] are [{}].>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <The selected username attribute [uid] was retrieved as a direct principal attribute and not through the attribute release policy for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]. CAS is unable to detect new attribute values for [uid] after authentication unless the attribute is explicitly authorized for release via the service attribute release policy.>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Principal id to return for [https://ckoewiki.dev.mydomain.com/bin/view] is [christian.koehn]. The default principal id is [christian.koehn].>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.services.BaseRegisteredServiceUsernameAttributeProvider] - <Resolved username for [https://ckoewiki.dev.mydomain.com/bin/view] is [christian.koehn]>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Principal determined for release to [https://ckoewiki.dev.mydomain.com/bin/view] is [christian.koehn]>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent@172ccf1b[assertion=org.apereo.cas.authentication.DefaultAuthentication@b6dfcda9:org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML],serviceTicket=ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f]]>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f] has expired and is now removed from the cache>
2018-03-09 17:31:17,836 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: christian.koehn
WHAT: ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Mar 09 17:31:17 UTC 2018
CLIENT IP ADDRESS: 195.34.89.139
SERVER IP ADDRESS: 172.17.0.7
=============================================================
>
2018-03-09 17:31:17,836 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-03-09 17:31:17,836 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Resuming suspended transaction after completion of inner transaction>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Is validation specification set to enforce [renew] protocol behavior? [no]. Is assertion issued from a new login? [yes]>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.validation.Cas20ProtocolValidationSpecification] - <Assertion is always satisfied>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Validation specification is satisfied by the produced assertion>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Locating the primary authentication associated with this service request [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No particular authentication context is required for this request>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No service credentials specified, and/or the proxy handler [Cas20ProxyHandler] cannot handle credentials>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Successfully validated service ticket [ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f] for service [https://ckoewiki.dev.mydomain.com/bin/view]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Preparing the output model [[assertion, service, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service]] to render view [Cas30ResponseView]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] - <Prepared CAS response output model with attribute names [[assertion, service, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service, principal, chainedAuthentications, primaryAuthentication]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed response principal attributes from the output model to be [[]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <CAS is configured to release protocol-level attributes. Processing...>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed response protocol/authentication attributes from the output model to be [[credentialType, longTermAuthenticationRequestTokenUsed, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.services.web.view.AbstractCasView] - <Obtained [credential] as an authentication attribute>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.services.web.view.AbstractCasView] - <Attribute release policy for [https://ckoewiki.dev.mydomain.com/bin/view] does not authorize the release of [credential]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Final collection of attributes for the response are [[credentialType, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]].>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Beginning to encode attributes for the response>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] - <Starting to encode attributes for release to service [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <[credential] is not available as a cached model attribute to encrypt...>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <[proxyGrantingTicket] is not available as a cached model attribute to encrypt...>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <Sanitizing attribute names in preparation of the final validation response>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] - <[6] encoded attributes are available for release to [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]: [[credentialType, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Encoded attributes for the response are [{credentialType=RememberMeUsernamePasswordCredential, isFromNewLogin=[true], authenticationDate=[2018-03-09T17:31:17.498Z[UTC]], authenticationMethod=LdapAuthenticationHandler, successfulAuthenticationHandlers=[LdapAuthenticationHandler], longTermAuthenticationRequestTokenUsed=[false]}]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Beginning to format/render attributes for the response>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:credentialType>RememberMeUsernamePasswordCredential</cas:credentialType>]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:isFromNewLogin>true</cas:isFromNewLogin>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:authenticationDate>2018-03-09T17:31:17.498Z[UTC]</cas:authenticationDate>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Prepared output model with objects [assertion]. Now rendering view...>
I had the assumption that maybe something with my encryption key is wrong (or what I put in the "location" parameter in the service config), but after investigation of the line
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <[proxyGrantingTicket] is not available as a cached model attribute to encrypt...>
I read https://github.com/apereo/cas/blob/master/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.java
So I guess I miss an essential thing here. How can I get the PGT into the attribute cache?
This: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#clearpass seems only to be necessary for the credentials... or am I wrong?
Any help is highly appreciated.
Thanks and regards,
Christian
After spending several hours of trial&error, reading documentation and googling around my last resort is to ask for help in this mail list.
I need to do proxy authentication, but as the CAS cannot directly access the application(s), I wanted to include the proxy granting ticket in the validation response as described here: https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html
The endpoint called is /p3/serviceValidate
The service config is:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://ckoewiki.dev.mydomain.com/bin/view",
"name" : "CKOE wiki",
"id" : 2,
"description" : "Only ckoe wiki auth with proxy",
"evaluationOrder" : 2,
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseProxyGrantingTicket" : true
},
"publicKey" : {
"@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
"location" : "file:/etc/cas/ubxnet.key",
"algorithm" : "RSA"
}
}
The response to the call I get is:
'cas:serviceResponse' => [
{
'cas:authenticationSuccess' => [
{
'cas:attributes' => [
{
'cas:successfulAuthenticationHandlers' => [
'LdapAuthenticationHandler'
],
'cas:authenticationMethod' => [
'LdapAuthenticationHandler'
],
'cas:authenticationDate' => [
'2018-03-09T16:49:17.305Z[UTC]'
],
'cas:isFromNewLogin' => [
'true'
],
'cas:longTermAuthenticationRequestTokenUsed' => [
'false'
],
'cas:credentialType' => [
'RememberMeUsernamePasswordCredential'
]
}
],
'cas:user' => [
'ckoe'
]
}
]
}
]
}
Debug output of the service validation call is:
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request does not specify a [TARGET] or request body is empty>
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@76db9e65[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@d4ecdb0[]]>
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://ckoewiki.dev.mydomain.com/bin/view]>
2018-03-09 17:31:17,821 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Attempting to decode service ticket [ST-3-RDJ-XXX] to verify authenticity>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] - <Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,822 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name [DEFAULT]>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Activating expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket [TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] - <Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,823 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name [DEFAULT]>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Activating expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket [TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] - <Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name [DEFAULT]>
2018-03-09 17:31:17,824 DEBUG [org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Activating expiration policy [org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket [TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,825 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Resolved service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]] from the authentication request>
2018-03-09 17:31:17,825 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Located registered service definition [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>] from [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]] to handle validation request>
2018-03-09 17:31:17,825 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Attribute policy [org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]]] is associated with service [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [christian.koehn]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <[DefaultPrincipalAttributesRepository] will return the collection of attributes directly associated with the principal object which are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [12] cached attributes for principal [christian.koehn] that are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,826 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}] for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process attributes for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-03-09 17:31:17,827 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-03-09 17:31:17,828 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Calculated attributes for release per the release policy are [[]]>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Original principal attributes available for selection of username attribute [uid] are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}].>
2018-03-09 17:31:17,829 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Located service [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>] in the registry. Attempting to resolve attributes for [christian.koehn]>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [christian.koehn]>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <[DefaultPrincipalAttributesRepository] will return the collection of attributes directly associated with the principal object which are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,830 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [12] cached attributes for principal [christian.koehn] that are [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn], uidNumber=[10024]}] for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process attributes for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-03-09 17:31:17,832 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-03-09 17:31:17,832 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-03-09 17:31:17,832 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [christian.koehn] accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>
2018-03-09 17:31:17,833 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Attributes resolved by the release policy available for selection of username attribute [uid] are [{}].>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <The selected username attribute [uid] was retrieved as a direct principal attribute and not through the attribute release policy for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]. CAS is unable to detect new attribute values for [uid] after authentication unless the attribute is explicitly authorized for release via the service attribute release policy.>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - <Principal id to return for [https://ckoewiki.dev.mydomain.com/bin/view] is [christian.koehn]. The default principal id is [christian.koehn].>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.services.BaseRegisteredServiceUsernameAttributeProvider] - <Resolved username for [https://ckoewiki.dev.mydomain.com/bin/view] is [christian.koehn]>
2018-03-09 17:31:17,834 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Principal determined for release to [https://ckoewiki.dev.mydomain.com/bin/view] is [christian.koehn]>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent@172ccf1b[assertion=org.apereo.cas.authentication.DefaultAuthentication@b6dfcda9:org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML],serviceTicket=ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f]]>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-03-09 17:31:17,835 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f] has expired and is now removed from the cache>
2018-03-09 17:31:17,836 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: christian.koehn
WHAT: ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Mar 09 17:31:17 UTC 2018
CLIENT IP ADDRESS: 195.34.89.139
SERVER IP ADDRESS: 172.17.0.7
=============================================================
>
2018-03-09 17:31:17,836 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-03-09 17:31:17,836 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Resuming suspended transaction after completion of inner transaction>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Is validation specification set to enforce [renew] protocol behavior? [no]. Is assertion issued from a new login? [yes]>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.validation.Cas20ProtocolValidationSpecification] - <Assertion is always satisfied>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Validation specification is satisfied by the produced assertion>
2018-03-09 17:31:17,837 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Locating the primary authentication associated with this service request [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No particular authentication context is required for this request>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No service credentials specified, and/or the proxy handler [Cas20ProxyHandler] cannot handle credentials>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Successfully validated service ticket [ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f] for service [https://ckoewiki.dev.mydomain.com/bin/view]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Preparing the output model [[assertion, service, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service]] to render view [Cas30ResponseView]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] - <Prepared CAS response output model with attribute names [[assertion, service, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service, principal, chainedAuthentications, primaryAuthentication]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed response principal attributes from the output model to be [[]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <CAS is configured to release protocol-level attributes. Processing...>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed response protocol/authentication attributes from the output model to be [[credentialType, longTermAuthenticationRequestTokenUsed, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.services.web.view.AbstractCasView] - <Obtained [credential] as an authentication attribute>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.services.web.view.AbstractCasView] - <Attribute release policy for [https://ckoewiki.dev.mydomain.com/bin/view] does not authorize the release of [credential]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Final collection of attributes for the response are [[credentialType, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]].>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Beginning to encode attributes for the response>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] - <Starting to encode attributes for release to service [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <[credential] is not available as a cached model attribute to encrypt...>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <[proxyGrantingTicket] is not available as a cached model attribute to encrypt...>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <Sanitizing attribute names in preparation of the final validation response>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] - <[6] encoded attributes are available for release to [id=2,name=CKOE wiki,description=Only ckoe wiki auth with proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]: [[credentialType, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Encoded attributes for the response are [{credentialType=RememberMeUsernamePasswordCredential, isFromNewLogin=[true], authenticationDate=[2018-03-09T17:31:17.498Z[UTC]], authenticationMethod=LdapAuthenticationHandler, successfulAuthenticationHandlers=[LdapAuthenticationHandler], longTermAuthenticationRequestTokenUsed=[false]}]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Beginning to format/render attributes for the response>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:credentialType>RememberMeUsernamePasswordCredential</cas:credentialType>]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:isFromNewLogin>true</cas:isFromNewLogin>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:authenticationDate>2018-03-09T17:31:17.498Z[UTC]</cas:authenticationDate>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Prepared output model with objects [assertion]. Now rendering view...>
I had the assumption that maybe something with my encryption key is wrong (or what I put in the "location" parameter in the service config), but after investigation of the line
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder] - <[proxyGrantingTicket] is not available as a cached model attribute to encrypt...>
I read https://github.com/apereo/cas/blob/master/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.java
So I guess I miss an essential thing here. How can I get the PGT into the attribute cache?
This: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#clearpass seems only to be necessary for the credentials... or am I wrong?
Any help is highly appreciated.
Thanks and regards,
Christian
Christian Koehn
Mar 14, 2018, 12:35:56 PM3/14/18
to CAS Community
Solved,
the "essential thing" I missed was that even you cannot use a proxy callback, you MUST use that url parameter in the service validation call. Next to that the argument of the parameter MUST be a reachable https URL that also does not respond with an error.
the "essential thing" I missed was that even you cannot use a proxy callback, you MUST use that url parameter in the service validation call. Next to that the argument of the parameter MUST be a reachable https URL that also does not respond with an error.
Kelly Geng
Mar 17, 2019, 10:39:20 AM3/17/19
to CAS Community
Hi Christian,
I ran into the same issue that you had and found this post. What do you mean by "Next to that the argument of the parameter MUST be a reachable https URL that also does not respond with an error"? Can that be any url that is reachable and SSL-validatable by the CAS server? What would that be in your case? Because I assume it has to be a service that can handle the callback in order to have an acceptable response.
Any help will be appreciated!
Kelly
Reply all
Reply to author
Forward
0 new messages