How to evaluate user expiry date/time during database authentication?

[Bobby Esfandiari]

Hello,

I'm in need of some help in modifying my CAS server's authentication process. In addition to the username/password check, I would like authentication to fail if a user has expired. An expired user is identified by a userExpiry column that stores date/time information, such that expired = CURRENT_TIMESTAMP > userExpiry date/time.

I realize there is a CAS overlay property ( cas.authn.jdbc.query[0].fieldDisabled= ) that sort of does this, but I do not currently have a Boolean column in the user table that can be used for this purpose and implementing one is not feasible at this time.

I cam across this documentation (https://apereo.github.io/cas/6.0.x/installation/Configuring-Custom-Authentication.html#custom-authentication-strategies) and have been working on implementing it. 

However, I'm stuck on the following 2 issues:

1. Which authentication handler would be the best one to extend in this case? 
2. How do I include the userExpiry column data from my database in my custom authentication handler?

Any assistance would be greatly appreciated!

[Bobby Esfandiari]

Just wanted to add that I'm using CAS 6.1.x and JDK 11.

[Misagh Moayyed]

However, I'm stuck on the following 2 issues:

1. Which authentication handler would be the best one to extend in this case? 

AbstractJdbcUsernamePasswordAuthenticationHandler

2. How do I include the userExpiry column data from my database in my custom authentication handler?

Take a look at how QueryDatabaseAuthenticationHandler does things, and then model yours the same way.

[Bobby Esfandiari]

@Misagh Moayyed

Thank you very much for your assistance. I was able to follow QueryDatabaseAuthenticationHandler as a template, extending AbstractJdbcUsernamePasswordAuthenticationHandler, and adding my custom logic to it.

I do have a follow up question though that I haven't been able to figure out by reading the documentation. Is there any way that I can manually expire TGTs for users that are expired based on the user expiry date/time? It's my understanding that CAS will automatically send out logout messages to registered services after a user manually logs out. I can handle these messages in those services, but I'm not sure how to initiate the process manually for an expired user. 

Ideally I'd be able to inject some logic (similar to the custom handler) that would monitor the user table and start the SLO process by expiring the TGTs for any users whose expiry date < current time. I just have no idea if such a component exists in CAS and the ticket expiry docs don't seem to indicate any way of overriding their functionality.

Thanks again!

PS

For anyone that might have the same issue in the future, I also had to add the following properties. This was needed to stop CAS from continuing to process other handlers and generate a TGT, even though my custom handler identified the user as expired and threw an error:

  cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true

  cas.authn.policy.req.tryAll=false

  cas.authn.policy.req.handlerName=MyAuthenticationHandler

  cas.authn.policy.req.enabled=true

[Ray Bon]

Bobby,

Single logout is a messy business anytime. If you force users to be logged out of their applications when the CAS session ends, you risk terminating a session which an application considers valid (i.e. service has a longer session than CAS).

If you have control over all services supported by CAS, you could make their sessions shorter than the CAS session (but that does not help if the user logs in shortly before the CAS session expires).

How do you alert the user that their session is expired? Would a background logout conflict with an applications management of a user's experience/data?

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Bobby Esfandiari]

Hello Ray,

I have thought about the user implications and it's not currently a large concern because I'm looking at this more from a security point of view.

My CAS sessions are longer than that of the services, but I want an expired user to be stopped from accessing all services as soon as possible. Once I'm able to establish that part of the functionality then I can tweak the user experience, if needed. For the time being I'm okay with the user being forced out and receiving a message that indicates their expiry, if/when they try to log in again.

What I need to know is whether it's actually possible to insert logic into CAS that will:

1. Monitor my user table and identify expired users from the user expiry column.
2. Expire their TGT.
3. Initiate SLO to log them out of registered services.

Thanks!

[Misagh Moayyed]

Is there any way that I can manually expire TGTs for users that are expired based on the user expiry date/time? It's my understanding that CAS will automatically send out logout messages to registered services after a user manually logs out. I can handle these messages in those services, but I'm not sure how to initiate the process manually for an expired user. 

This might help:

https://apereo.github.io/cas/development/installation/Configuring-SSO-Session-Cookie.html#administrative-endpoints

See "ssoSessions". You could design it as an out-of-band process to fetch the user id for the expired account, locate the TGT for that user id, and send it as a DELETE op to that endpoint, to initiate SLO...or catch the "user is expired" error somewhere in the webflow from the handler and do the same there.