CAS 5.0, 6.3 logging differences

Baron Fujimoto

unread,

Jul 2, 2021, 11:40:08 PM7/2/21

to CAS Community

Continuing our journey to upgrade from CAS 5.0 to 6.3, I have some questions re logging differences I'm seeing.

Service not found in service registry

------------------------------------------------

With CAS 5.0, if a service was not registered, we see something like this logged for an unauthorized service such as "https://www.foo.com":

WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management: missing service. Service [https://www.foo.com] is not found in service registry.>

This is often very helpful for troubleshooting to be able to see what URL an app is trying to use.

But with CAS6.3 we see:

ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service unauthorized>

org.apereo.cas.services.UnauthorizedServiceException: Service unauthorized

at org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.execute(RegisteredServiceAccessStrategyAuditableEnforcer.java:112) ~[cas-server-core-services-api-6.3.4.jar:6.3.4]

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.46]

[...many many lines of stack trace...]

at java.lang.Thread.run(Thread.java:829) [?:?]

The unauthorized service is never identified, which removes a valuable troubleshooting tool. Is there a way to include this information?

We definitely want to see things logged as ERRORs, but the stack trace seems more appropriate for something at the DEBUG level?

Failed authentications

-----------------------------

With CAS 5.0, when a user authentication failed, we'd see something like the following logged:

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating USERNAME>

WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [USERNAME] of type [UsernamePasswordCredential], which suggests a configuration problem.>

INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: USERNAME

WHAT: Supplied credentials: [USERNAME]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Fri Jul 02 17:06:00 HST 2021

CLIENT IP ADDRESS: 172.19.100.162

SERVER IP ADDRESS: 172.16.1.76

=============================================================

>

Whereas with CAS 6.3, we get:

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Invalid credentials].>

INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: USERNAME

WHAT: Supplied credentials: [UsernamePasswordCredential(username=USERNAME, source=null, customFields={})]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Fri Jul 02 17:00:45 HST 2021

CLIENT IP ADDRESS: 10.17.133.2

SERVER IP ADDRESS: 10.17.133.14

=============================================================

>

WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes>

DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes>

org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes

at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:340) ~[cas-server-core-authentication-api-6.3.4.jar:6.3.4]

[... ~200 more lines of stack trace ...]

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.46]

at java.lang.Thread.run(Thread.java:829) [?:?]

This 200+ line stack trace seems like overkill and not really helpful. Is the solution to this just not logging org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver at the debug level?

--

Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

King, Robert

unread,

Jul 5, 2021, 9:11:18 AM7/5/21

to cas-...@apereo.org

I get the following WARN log entry from org.apereo.cas.services.RegisteredServiceAccessStrategyUtils

WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [defnotaservice] is not found in service registry.>

I believe this is configured in log4j.xml with the following in <Loggers>

Hope that at least sets you on the correct path.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2uh%3DN49pLnAmEuPxjem_yMmbXkQpfcj9fE3%2Brkk-v8yA%40mail.gmail.com.

Baron Fujimoto

unread,

Jul 6, 2021, 2:57:54 PM7/6/21

to CAS Community

Unfortunately, that doesn't seem to work for us. I even tried one level up the class hierarchy with

It also looks like all of our existing AsyncLogger entries already have includeLocation="true" as well.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6699c8c32a7446bf8ffbd9f9d58093ec%40mun.ca.

Daniel Daher

unread,

Jun 8, 2022, 12:41:31 PM6/8/22

to CAS Community, baron

Hello. I am interested to add this feature to our 6.x CAS, we had no problems on 5.x but I don't get to find the key to enable it on the 6.x. As you said, I find it a very useful tool to debug problems in new clients.