Having issues w/ trustedDevice in 5.1.2

[mailing_...@melson.fastmail.net]

I'm having a heck of a time setting up trustedDevice authentication
(outlined here:
https://apereo.github.io/cas/5.1.x/installation/Multifactor-TrustedDevice-Authentication.html)
under a fresh 5.1.2 install and I'm not sure if I'm misunderstanding the
feature altogether or simply configuring it incorrectly.

I set up the appropriate entry in the maven overlay to bring it in
(cas-server-support-trusted-mfa as artifactID), set up the
cas.properties entries and its definitely being loaded. After an mfa
authentication (I'm using mfa-gauth), I get prompted to register the
device, but the minute I do so I get an error&stacktrace - I see the
audit log register the name I gave it and other assorted info, but
immediately afterwards it throws an exception:

"org.springframework.webflow.execution.FlowExecutionException: Exception
thrown in state 'registerTrustedDevice' of flow 'login'"

Following that down the underlying cause seems to be the following:

2017-07-21 10:32:58,064 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- <Servlet.service() for servlet [dispatcherServlet] in context with
path [/cas] threw exception [Request processing failed; nested exception
is org.springframework.webflow.execution.FlowExecutionException:
Exception thrown in state 'registerTrustedDevice' of flow 'login'] with
root cause>
java.lang.IllegalArgumentException: Cannot find state with id 'success'
in flow 'login' -- Known state ids are
'array<String>['initialAuthenticationRequestValidationCheck',
'ticketGrantingTicketCheck', 'initializeLoginForm', 'viewLoginForm',
'realSubmit', 'showAuthenticationWarningMessages',
'sendTicketGrantingTicket', 'generateServiceTicket',
'viewRedirectToUnauthorizedUrlView', 'viewServiceErrorView',
'redirectView', 'postView', 'viewGenericLoginSuccess',
'showWarningView', 'finalizeWarning', 'serviceUnauthorizedCheck',
'serviceCheck', 'warn', 'gatewayRequestCheck', 'hasServiceCheck',
'renewRequestCheck', 'terminateSession',
'gatewayServicesManagementCheck', 'serviceAuthorizationCheck',
'redirect', 'handleAuthenticationFailure', 'verifyTrustedDevice',
'checkRegistrationRequired', 'registerDeviceView',
'registerTrustedDevice', 'finishMfaTrustedAuth', 'mfa-gauth',
'casAuthenticationBlockedView', 'casBadWorkstationView',
'casBadHoursView', 'casAccountLockedView', 'casAccountDisabledView',
'casPasswordUpdateSuccessView', 'casExpiredPassView',
'casMustChangePassView']'

I'm using Java 1.8 on Centos7 and have tried deploying to Tomcat 8.5.16
as a war and using the embedded tomcat and getting the same behavior in
both instances. Haven't tried other containers or tweaking much else at
this point.

Any ideas?

Matt

[Matt Elson]

Dug more into this on my end, and discovered a few more things.

*) trustedDevice is working fine with mfa-authy (just grabbed another
random one that had a free trial) - I see it log the trustedDevice, and
then read back the trustedDevice and bypass authy accordingly. I've not
tried other mfas yet to see if there's a pattern.

*) when I try to use trustedDevice w/ mfa-gauth, the trustedDevice
flow/hooks (sorry, not sure of the correct terminology) triggers even if
the user's setup to bypass the multifactor - this is NOT the behavior
when I use mfa-authy (in that case, bypassing the mfa bypasses
trustedDevice altogether).

That combined w/ the fact the error I'm receiving seems to because it's
being directed to a non-existent "success" state in the "login" flow
makes it look like that for some reason the mfa-gauth flows aren't
working right when combined w/ trustedDevice.

I'm sort of new to Java webflow (and not really a programmer), so not
quite sure if I'm understanding the interactions correctly - I don't
mind digging into code to try and learn more, but not quite sure where
to begin since it's all quite daunting.

In any case, any help would be appreciated!

Matt Elson

[Matt Elson]

> In any case, any help would be appreciated!

Just noting for future people potentially stumbling on this that this
got fixed up in 5.1.3 (commit 29d4fd6388969820e4631b2a2693cb8116a36f98
would be my guess).

The flow is going to the right place and the in memory storage is
working fine.

However, I'm currently having some trouble w/ JDBC and mysql (have tried
both available drivers, various dialects) - the DDL statement to create
the tables failed:

Caused by: java.sql.SQLSyntaxErrorException: You have an error in your
SQL syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near 'varchar(255) not null, name
varchar(255) not null, principal varchar(255) not nu' at line 1

And if I create the table by hand (guessing at what the columns should
be), I get a similar error.

[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - <You have an error
in your SQL syntax; check the manual that corresponds to your MariaDB
server version for the right syntax to use near 'key, name, principal)
values ('2017-08-14', 'redacted.ip.goes.here.@Mozilla/5.0 (X11; Lin'

Both look like the SQL statements are getting incorrectly formed or
truncated in some format; going to be firing up more debugging on
mariadb/mysql side of things and will try other DBs later.

(I've got the Google Auth tokens being stored in the database w/o any
difficulties so don't think there's anything obviously wrong on the
database-side of things.)

Just figured I'd throw it out there in case the underlying cause of this
new issue of mine is a really obvious one.

Matt

[Matt Elson]

On 08/15/2017 04:47 PM, Matt Elson wrote:

> Both look like the SQL statements are getting incorrectly formed or
> truncated in some format; going to be firing up more debugging on
> mariadb/mysql side of things and will try other DBs later.
>

> Just figured I'd throw it out there in case the underlying cause of this
> new issue of mine is a really obvious one.

Turns out it's pretty simple.

The fields "date" and "key" are reserved words in mysql/mariadb and
aren't being quoted/backticked properly so causing the SQL errors.
Changing the names to something like trustedDate and trustedKey in
MultiFactorAuthenticationRecord and altering the explicit SQL queries
in JpaMultifactorAuthenticationTrustStorage accordingly causes the DDL
and subsequent inserts to succeed in my brief testing.

While playing with that, a length of 255 isn't sufficient for the key
value once encryption takes place; had to bump it up to 1000 or so.

Not familiar with hibernate so not sure if it's supposed to take care of
this sort of quoting/escaping, so not sure who to report this seeming
bug to.

Matt

[Uxío]

I had a bad time trying to tweak CAS 3 with postgres ticket registry to use bytea for lobs, instead of oid, ended up using oid and assuming the included pita and believing there is a bug relating how hibernate 4 handles ticket removal when using postgres [oid] large objects (update/delete most possibly requiring multiple data unlinking ops just after commiting transaction).

If I were to want the supposed bug to be solved for CAS (not the case) I would open issue in CAS even thouh really sure it is (seems at least) an hibernate bug. The reason for it is that even there are more or less maintained public roadmaps often only someone in the team really knows the truth on the facts for the multiplicity of data access layer back ends.

CAS seems to have an historical affinity with particular versions of mysql and oracle to a lesser extent.

Targeting maria or not is mandatory for hibernate I would say (so that said, plans or mission statements are no guarantee for anything), but in the scope of CAS is something to be decided by the CAS committee.

I would open a github issue.

Sent from my iPhone

> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/458110c3-b065-e8a2-052f-140025781224%40fastmail.net.

[Jurica Juren]

Can you tell me which class need to be changed so that right queries are send to MySQL?
I manually created table in database but now when CAS want's to insert I received error because of reserved words in MySQL (key and date).

Jurica

[Andrew Tillinghast]

We're having the same issue with DUO MFA and remember device.

Is there a work around? I checked in GitHub, it appears this issue was never entered in GitHub so I did that: https://github.com/apereo/cas/issues/2998

Can anyone provide us with a work around, or at least the list of classes to be updated?

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b52c270-4db1-49bf-adb0-e9b9d4167ddc%40googlegroups.com.

--

Andrew Tillinghast

Sr. Web Developer

atil...@conncoll.edu

270 Mohegan Avenue

New London, CT 06320-4196

Ph:860 439-5265 Fax: 860 439-2871

P Think before you print
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system.