CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS
311 views
Skip to first unread message
Mohsen Ebrahimi
Jan 11, 2018, 2:33:12 AM1/11/18
to cas-...@apereo.org
Hello
It works fine in 5.2. I think it's a bug.
Thank you
2018-01-11 02:18:15,694 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [wronguser] of type [UsernamePasswordCredential].>
2018-01-11 02:18:15,697 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: wronguser
WHAT: Supplied credentials: [wronguser]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Jan 11 02:18:15 EST 2018
Ben Howell-Thomas
Jan 19, 2018, 9:29:02 AM1/19/18
to cas-...@apereo.org
I'm seeing this too.
Attached image of debugging shows it goes to the wrong resolveFrom method in org.apereo.inspektr.audit.spi.support.DefaultAuditActionResolver. ie one version of the method takes an Object (for success messages) and the other takes an Exception (for failure). It should go to the failure one since it's passing an AuthenticationException and that's closer to Exception than Object in the class hierarchy.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d686a56463686a943ec76d5ae0fde8f%40of.iut.ac.ir.
This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.
Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
Jeffrey Ramsay
Jan 19, 2018, 9:52:22 AM1/19/18
to CAS Community
How are you getting these statements in your logs? I can produce them since upgrading to 5.1 and it was used for our Splunk system.
<AsyncLogger name="org.apereo.inspektr.audit.support" level="info" additivity="false" includeLocation="true">
<AppenderRef ref="casAudit"/>
<AppenderRef ref="casFile"/>
</AsyncLogger>
-Jeff<AsyncLogger name="org.apereo.inspektr.audit.support" level="info" additivity="false" includeLocation="true">
<AppenderRef ref="casAudit"/>
<AppenderRef ref="casFile"/>
</AsyncLogger>
--
Ben Howell-Thomas
Jan 19, 2018, 10:47:02 AM1/19/18
to cas-...@apereo.org
Might have solved it.
To confirm what Mohsen said, seems fine in 5.2.0.
Between 5.2.0 and 5.2.1 the inspektrVersion goes up from 1.7.0 to 1.7.1.GA.
Between them, ah - I think I may have found it - org.apereo.inspektr.audit.AuditTrailManagementAspect changes line 141 from :
} catch (final Exception e) {
to
} catch (final Throwable e) {
I think I remember reading that polymorphism type things are worked out at compile time. If it's treating the AuthenticationException as a Throwable then that's not an Exception (since Exception is a sub-class of Throwable) but it is an Object, hence it calls the org.apereo.inspektr.audit.spi.support.DefaultAuditActionResolver.resolveFrom method that uses the Object parameter and is therefore considered a success.
This looks like a side effect of this commit to Inspektr:
Commit: a51eefbc0fe6619bb651b91a99f44bb6d262e744 [a51eefb]
Parents: 8a07750485, 0cdde58bcc
Author: Misagh Moayyed <mmoa...@unicon.net>
Date: 06 March 2017 16:17:35
Committer: GitHub <nor...@github.com>
Merge pull request #8 from vvidovic/cherry-pick
Fix: auditing on Erorr (not only Exception)
@Misagh/Apereo/everyone - Hope that's been helpful. I'm sorry but I haven't got time to submit a patch (partly because upgrading to 5.2 has taken so long ;). If it's not something anyone's likely to pick up I could maybe look at it next week.
blessings,
Ben
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d686a56463686a943ec76d5ae0fde8f%40of.iut.ac.ir.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTrvbTAyo%3DGWR9vt6%2B4ZGWiUiC4x_M4FW06Mr60y6%2BNpw%40mail.gmail.com.
Oscar del Pozo
Jan 23, 2018, 11:27:42 AM1/23/18
to CAS Community
Hi,
I've made a pull request solving this issue: https://github.com/apereo/inspektr/pull/10. It has been already approved.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTrvbTAyo%3DGWR9vt6%2B4ZGWiUiC4x_M4FW06Mr60y6%2BNpw%40mail.gmail.com.
Ben Howell-Thomas
Jan 29, 2018, 9:34:54 AM1/29/18
to cas-...@apereo.org
Thankyou :)
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f35bc58f-ba48-4543-b913-e11ea7faf784%40apereo.org.
Oscar del Pozo
Jan 29, 2018, 10:40:11 AM1/29/18
to CAS Community
I have tested right now the new version and it seems to fail. This issue should be re-opened at the github project
Thankyou :)
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f35bc58f-ba48-4543-b913-e11ea7faf784%40apereo.org.
Ben Howell-Thomas
Feb 6, 2018, 6:13:58 AM2/6/18
to cas-...@apereo.org
I couldn't see anything in the 5.2.2 release that updates the version of Inspektr to the next one.
Presumably when your fix to Inspectr is released the inspektrVersion in CAS' gradle.properties will need updating.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd15ee4f-52d4-4423-ba29-17553c20ca55%40apereo.org.
Reply all
Reply to author
Forward
0 new messages