QueryAndEncodeDatabaseAuthenticationHandler not Authenticating

24 views
Skip to first unread message

Daniel

unread,
Oct 31, 2016, 11:34:53 AM10/31/16
to CAS Community
Greetings,


I believe I am very close to getting a working CAS instance to authenticate from our Oracle 12g Database using the CAS5 RC5 snapshot.

I have configured the QueryAndEncodeDatabaseAuthenticationHandler via the maven overlay in cas.properties.

I have set the following values:

cas.authn.jdbc.encode[0].driverClass=oracle.jdbc.driver.OracleDriver
cas.authn.jdbc.encode[0].url=jdbc:oracle:thin:@xxxxxxxx.edu:1521:xxxxx
cas.authn.jdbc.encode[0].user=xxxxxxxxxxx
cas.authn.jdbc.encode[0].password=xxxxxxxxxx
cas.authn.jdbc.encode[0].sql=select gobtpac_pin, gobtpac_salt from gobtpac left join unixacct on pidm = gobtpac_pidm where userid = ?
cas.authn.jdbc.encode[0].algorithmName=SHA-1
cas.authn.jdbc.encode[0].passwordFieldName=gobtpac_pin
cas.authn.jdbc.encode[0].saltFieldName=gobtpac_salt
cas.authn.jdbc.encode[0].healthQuery=select 1 from dual
cas.authn.jdbc.encode[0].encodingAlgorithm=sha1


The gobtpac_pin field in the database is computed as sha1('password' + salt).

When I run attempt to log in as myself I can see the database respond with (via  tcpdump -i eno1 -nnvvXSs 1514 host 136.223.xxx.xxx):

        0x0070:  0001 0b01 0b0b 474f 4254 5041 435f 5049  ......GOBTPAC_PI
        0x0080:  4e00 0000 0001 8000 0002 0200 0002 1000  N...............
        0x0090:  0000 0203 6901 0180 010c 010c 0c47 4f42  ....i........GOB
        0x00a0:  5450 4143 5f53 414c 5400 0001 0100 0107  TPAC_SALT.......
        0x00b0:  0778 740a 1f0c 102b 0002 1fe8 0102 0102  .xt....+........
        0x00c0:  0006 2201 0200 010a 0000 0007 2845 3441  ..".........(E4A
        0x00d0:  3542 3341 3743 3044 3634 3735 4144 3541  5B3A7C0D6475AD5A
        0x00e0:  3737 4641 4131 3636 3733 3536 3238 5858  77FAA166735628XX
        0x00f0:  4443 3931 3108 3146 364d 4c45 4444 0801  DC911.1F6MLEDD..




This corresponds to what I get from my sql query:

select gobtpac_pin, gobtpac_salt from gobtpac left join unixacct on pidm = gobtpac_pidm where userid = 'xxxxxxx';
-----------------------------------------
E4A5B3A7C0D6475AD5A77FAA166735628XXDC911 1F6MLEDD



I have tried:
cas.authn.jdbc.encode[0].encodingAlgorithm=sha1
&&
cas.authn.jdbc.encode[0].encodingAlgorithm=SHA-1

My instincts are telling me I have the algorithm name wrong or in the wrong format. Drilling through the documentation I could find I ended up at: http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html






Ultimately I get following error in catalina.out:

2016-10-31 11:31:18,374 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <QueryAndEncodeDatabaseAuthenticationHandler failed authenticating xxxxxxx>
2016-10-31 11:31:18,374 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [xxxxxxx] of type [UsernamePasswordCredential], which suggests a configuration problem.>
2016-10-31 11:31:18,375 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: xxxxxxx
WHAT: Supplied credentials: [xxxxxxx]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Mon Oct 31 11:31:18 EDT 2016
CLIENT IP ADDRESS: aa.bbb.c.d
SERVER IP ADDRESS: yyy.z.ss.ttt
=============================================================


Can someone please lend me a hand with this configuration? Or am I just way off base on how QueryAndEncodeDatabaseAuthenticationHandler works?


Thank you,

Reply all
Reply to author
Forward
0 new messages