CAS 6.1.4 Overlay Compile Problem (and possible design issue)

[Tom Healey]

Hi all!

Background:

When the compileJava task is run it fails and I get this error (its the first of many “does not exist" errors)

"error: package org.apereo.cas.authentication.credential does not exist”

when compiling a modified QueryAndEncodeDatabaseAuthenticationHandler.java file.

which is derived from:

support/cas-server-support-jdbc-authentication/src/main/java/org/apereo/cas/adaptors/jdbc/QueryAndEncodeDatabaseAuthenticationHandler.java

in the apereo/cas git repo.

I have a slightly different hashing method that doesn’t allow me to match the password correctly. It’s really unfortunate, because its a two line change.

here is the relevant import statements and I have located the file in 

src/main/java/edu/xx/common/cas directory under the main template directory.

package edu.xx.common.cas;

import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;

import org.apereo.cas.authentication.PreventedException;

import org.apereo.cas.authentication.credential.UsernamePasswordCredential;

import org.apereo.cas.authentication.exceptions.AccountDisabledException;

import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;

import org.apereo.cas.authentication.principal.PrincipalFactory;

I am following this pages (sparse) directions:

https://apereo.github.io/cas/6.1.x/installation/WAR-Overlay-Installation.html#custom-and-third-party-source

I agree with author that this should be trivial but it won’t compile.

Problem 1:

I don’t know the correct entries to put in the build file, nor the correct location.

I have tried a couple of different values that if I showed you would make the cas even more clear I don’t know what I am doing.

But what the heck:

classpath "org.apereo.cas:cas-server-core-authentication:${project.'cas.version'}"

classpath "org.apereo.cas:cas-server-core-services:${project.'cas.version'}"

under the “buildscript” dependencies. I have also put them under the main dependencies section, changing the “directive” to compile.

Question 1:

How do I tell the compileJava task how to find these imports?

Question 2:

Also, if I do successfully compile do I have to create another class that registers this handler and all the joy that entails or Is there a way I can specify this class (like we could in the old days of CAS, before overlays) in the config like:

cas.authn.jdbc.encode[0].handler= edu.xx.common.cas.QueryAndEncodeDatabaseAuthenticationHandler

Thanks,

Tom

[Ray Bon]

Tom,

Do you need a new class, or could you modify QueryAndEncode...?

If the latter, copy the class into src and make the change (use the same package structure).

If the former, use the same package structure (i.e., not 'edu.xx.common.cas').

Make sure you are including the correct packages in the dependency section of build.gradle (where other feature dependencies go).

To find the correct package, clone the CAS repo, https://github.com/apereo/cas. Check out the correct branch, and do a find for the 'does not exist'.java file name. The directory name with '-', e.g., cas-server-core-audit, will be the part to add to the dependency section.

It has been a long time since I had to modify a CAS supplied class, so I am not of much help.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Dmitriy Kopyleenko]

I just want to add to what Ray said, which is correct - the QueryAndEncodeDatabaseAuthenticationHandler is not a conditional bean, so you must use the same package as in the CAS core to “overlay” it during the build. Also, another technique to find out what compile dependencies you need when modifying CAS code without cloning the whole repo, is to find the class in question in GitHub e.g. https://github.com/apereo/cas/blob/6.1.x/support/cas-server-support-jdbc-authentication/src/main/java/org/apereo/cas/adaptors/jdbc/QueryAndEncodeDatabaseAuthenticationHandler.java

And note the directory name in between ’support’ and ’src’ directories - and that will be your dependent module that you’d need to use - ‘cas-server-support-jdbc-authentication’ in this case. Same applies for all other classes not found during compilation phase.

Best,

D.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96bb3e4fc672c873c28f64f31e86dc1e869886c3.camel%40uvic.ca.

[Tom Healey]

Thank you Bob and Dmitriy.

I have successfully compiled the file. Thanks again.

New problem:

However, CAS is not calling the modified version.I believe this to be true because I turned on debug logs and logged out some "milestones" within my class and they never show in the logs, while other debug messages show up from other classes.

It is the same class name as the existing Authentication handler QueryAndEncodeDatabaseAuthenticationHandler.java

Is there some other step I need to include?

To be clear, I am not modifying this file within the apereo/cas source tree but within the cas-overlay-template and I have located the source within the src/main/java/org/apereo/cas/adaptors/jdbc below the cas-overlay-template path.

It is compiled and placed in the build/classes/java/main/org/apereo/cas/adaptors/jdbc directory. It shows up in the classes directory of the WAR when I unarchive it. (WEB-INF/classes)

So it appears to be built correctly.

BUT...

It does not appear to be loaded by CAS. There are no log entries that indicate the JDBC authenticator is loaded. The LDAP one logs an entry to report that it is, so I am assuming that CAS would indicate the JDBC authenticator would be loaded.

Here is the cas.properties file entry.

cas.authn.jdbc.encode[0].saltFieldName=salt
cas.authn.jdbc.encode[0].sql=select salt,crypted_password  from users where login=?
cas.authn.jdbc.encode[0].algorithmName=SHA-1
cas.authn.jdbc.encode[0].passwordFieldName=crypted_password
cas.authn.jdbc.encode[0].url=jdbc:sqlserver://XX.XX.XX.xx:XXXX;database="SQL SERVER DB NAME"
cas.authn.jdbc.encode[0].dialect=org.hibernate.dialect.SQLServerDialect
cas.authn.jdbc.encode[0].user=XX
cas.authn.jdbc.encode[0].password=XX
cas.authn.jdbc.encode[0].driverClass=net.sourceforge.jtds.jdbc.Driver
cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT
cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-1

.***LDAP config follows*.**

The error is:

2020-02-19 10:14:11,488 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [UsernamePasswordCredential(username=castestuser, source=null, customFields={})] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>

Well I have set logs to debug and have no insight from them.

Thoughts???

Thanks,

Tom 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5e4c4fa8.7c5269a.db0%40unicon.net.

[Ray Bon]

Tom,

It sounds like something is not configured.

If you remove your custom class, do you get the same error? If so, then configuration is missing.

You could put logging statements in your custom class's constructor(s).

Ray

[Tom Healey]

Ray (sorry I called you Bob....)

I agree something is not configured.

If I remove my custom class get the same error.

I did put logging statements in my classes constructor, nothing was output because I don't believe its being called because, as you said, something is not configured.

What other config to I need than this?

cas.authn.jdbc.encode[0].saltFieldName=salt

cas.authn.jdbc.encode[0].sql=select salt,crypted_password  from users where login=?
cas.authn.jdbc.encode[0].algorithmName=SHA-1
cas.authn.jdbc.encode[0].passwordFieldName=crypted_password
cas.authn.jdbc.encode[0].url=jdbc:sqlserver://XX.XX.XX.xx:XXXX;database="SQL SERVER DB NAME"
cas.authn.jdbc.encode[0].dialect=org.hibernate.dialect.SQLServerDialect
cas.authn.jdbc.encode[0].user=XX
cas.authn.jdbc.encode[0].password=XX
cas.authn.jdbc.encode[0].driverClass=net.sourceforge.jtds.jdbc.Driver
cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT
cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-1

I have put

    compile "org.apereo.cas:cas-server-support-jdbc-authentication:${casServerVersion}"
    compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casServerVersion}"

in the dependencies section of the build.gradle.

I thought that was all. But I needed  compile "org.apereo.cas:cas-server-support-jdbc:${casServerVersion}" as well.

Sorry for that...

Anyways, its calling the default auth handler not my code, yet,but there are a number of issues now dealing with the connection itself an the driver.

Thank you for your help so far.

Tom

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96bb3e4fc672c873c28f64f31e86dc1e869886c3.camel%40uvic.ca.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5e4c4fa8.7c5269a.db0%40unicon.net.

[Tom Healey]

Just an update.

I've gotten past the driver issue and am now querying the DB.

But my auth hander is still not being called. To recap, I just put the code in src/main/java/org/apereo/cas/adaptors/jdbc and I kept the name QueryAndEncodeDatabaseAuthenticationHandler.

However, CAS is not calling the modified version.I believe this to be true because I turned on debug logs and logged out some "milestones" within my class and they never show in the logs, while other debug messages show up from other classes.

It is the same class name as the existing Authentication handler QueryAndEncodeDatabaseAuthenticationHandler.java

Is there some other step I need to include?

To be clear, I am not modifying this file within the apereo/cas source tree but within the cas-overlay-template and I have located the source within the src/main/java/org/apereo/cas/adaptors/jdbc below the cas-overlay-template path.

It is compiled and placed in the build/classes/java/main/org/apereo/cas/adaptors/jdbc directory. It shows up in the classes directory of the WAR when I unarchive it. (WEB-INF/classes)

So it appears to be built correctly.

BUT...

It does not appear to be loaded by CAS. There are no log entries that indicate the JDBC authenticator is loaded. The LDAP one logs an entry to report that it is, so I am assuming that CAS would indicate the JDBC authenticator would be loaded.

Is this a stupid Java problem that my lack of remembering how java/CAS loads classes and as soon as someone offers the answer that works, I will reply "Of Course!"

Should I just punt and go through he process of changing that class name and registering a custom auth handler?

or Is there a way I can specify this class (like we could in the old days of CAS, before overlays) in the config like:

cas.authn.jdbc.encode[0].handler= edu.xx.common.cas.QueryAndEncodeDatabaseAuthenticationHandler

Thanks again for your time.

Tom

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf468107-a3bd-452d-b638-7ed6b833fb1d%40apereo.org.

[Tom Healey]

Hi all.

Following up to report success in getting DB authentication to work with our local algorithm.

It turned out I was misreading the lack of log messages. As I reported, I did not see any of the log.debug messages being output to the console. This lead me to believe that my version of the QueryAndEncodeDatabaseAuthenticationHandler class was not being called when in fact it was. By putting System.out.println instead of  log.debug into the class I was able to debug the new code I had put into the class and successfully authenticate.

So, to recap, if one needs to modify an auth handler to implement a custom passwordEncoder here are the steps:

1) copy it from the original source,

2) make desired mods

3) follow Dmitriy and Ray's guidance regarding the dependencies and package locations which need to be added to build.gradle file in the dependecies section. There could be some "discovery" at this point to find all the dependent packages. Don't give up.

4)save it to the src/main/java/org/aperos/cas path  that matches the package that your source was originally. In my case, the file needed to go in src/main/java/org/aperos/cas/adaptors/jdbc directory. CAS build then picked it up. Note that Ray and Dmitriy both pointed this out.

Note, because I misread the situation regarding the "overlayed" class,  I did try to use the cas.authn.jdbc.encode[0].passwordEncoder.type to implement the custom Encoder but I was not successful. So there are other possibilities to creating a custom encoder and to be honest the passwordEncoder.type is more elegant and I wished it had worked. It likely would have been more maintainable over the long term. But sometimes life is too short and one has to move on.

So the short version is that if I have understood and followed Ray and Dmitiry's lead and not been mislead by the logging issue, I could have saved some time.

Thanks again.

Tom