Is it problem with excludedAuthenticationHandlers in 6.3.x or sth else ?

[artur miś]

Dears,

 I have two website where users can auth via cas. So  there are 2 registered services.

Two handlers are in LDAP.

1.

{

    "@class" : "org.apereo.cas.services.RegexRegisteredService",

    "serviceId" : "^(http|https|imaps)://a.1/.*",

    "name" : "a1",

    "id" : 1,

    "evaluationOrder" : 0,

    "theme" : "nextor",

    "authenticationPolicy" : {

     "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",

     "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["aut1"]],

     "excludedAuthenticationHandlers" : ["java.util.TreeSet", ["aut2"]]

    }

}

2.

{

    "@class" : "org.apereo.cas.services.RegexRegisteredService",

    "serviceId" : "^(http|https|imaps)://a.2/.*",

    "name" : "a2",

    "id" : 2,

    "evaluationOrder" : 0,

    "theme" : "nextor",

    "authenticationPolicy" : {

     "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",

     "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["aut1","auth2"]],

    }

}

User had been authenticated on website2 with credentials from auth2  after this user tried auth on webstie 1 with success.

I dont know why he is  able autenticacte via cas on web site 1 ? I have  excluded auth2.

Additionally if user try loging webservis 1 as first, he can't auth via  credential taken from auth2 so this seems to be ok.

A want to avoid situation the user are authenticated in serwis 1 after he has been authenticated on website 2.

On the other hand i belive that is posible using sso mechanism for auth1 which is in both services.