[cas-user] Failing authentication after applying Database Authentication configuration

[Jihad Talic]

Hello,

I am experiencing issues regarding my Database authentication configuration in my CAS 5.0.1 server. The database I'm connecting with my CAS server uses PostgreSQL, and deploying the overlay build in Tomcat 8.5. First of all, I have enabled Database Authentication in the application.properties, specifically the Encode handler, since the database uses a salt value for hashing the password. As far as I know, I have applied the most basic configuration for the database authentication setup, but if I try to authenticate directly against the CAS server (not redirected from any url), it always end up not being successful. I am very sure that I am using the correct credentials, but I still experience an invalid authentication.

Originally, I am accessing the database from a remote, but I also tried using a local PostgreSQL database with similar unfortunate results. This is the basic configuration I'm using in the application.properties (I purposely used my local setup and some example values here):

cas.authn.jdbc.encode[0].sql=SELECT password FROM public.user WHERE email=?

cas.authn.jdbc.encode[0].url=jdbc:postgresql://localhost:5432/tracking

cas.authn.jdbc.encode[0].driverClass=org.postgresql.Driver

cas.authn.jdbc.encode[0].user=sample_username

cas.authn.jdbc.encode[0].password=sample_password

cas.authn.jdbc.encode[0].saltFieldName=salt

cas.authn.jdbc.encode[0].passwordFieldName=password

cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT

cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8

cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA

The password encoder setup should be right since the database uses SHA-1 password encryption.

This is what the tomcat logs says about: 

2017-02-03 15:06:33,024 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [jihad] of type [UsernamePasswordCredential], which suggests a configuration problem.>

2017-02-03 15:06:33,075 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: jihad

WHAT: Supplied credentials: [jihad]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Fri Feb 03 15:06:33 PHT 2017

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

>

2017-02-03 15:06:33,210 ERROR [org.apereo.cas.web.flow.AuthenticationExceptionHandler] - <Unable to translate handler errors of the authentication exception org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes. Returning UNKNOWN by default...>

I am hoping someone could help about this issue. Thank you in advance.

--Jihad

[dkopy...@unicon.net]

Have you included CAS' JDBC authentication module dependency in your overlay's build config (Maven or Gradle)?

Best,
D.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b82b736e-7389-46a3-872b-53778b6acd64%40apereo.org.

[Jihad Talic]

Hey dkopy..., thank you for replying. I am using the Maven overlay, and yes, I have included the dependency in pom.xml, as stated from the site (https://apereo.github.io/cas/5.0.x/installation/Database-Authentication.html). I have also added the JDBC driver dependency, and checked if the jar files of the aforementioned dependencies are present in the WAR file, and yes, they are there. 

[Menno en Erla Avegaart]

It looks like a simple password mismatch.

Are you sure the password is salted, hashed and encoded exactly the same?

1. The salt is prepended.

2. SHA-1 hashed

3. Converted to hex

Op vrijdag 3 februari 2017 15:15:46 UTC+1 schreef Jihad Talic:

[Jihad Talic]

Yes, you're right. I have also found out that it was caused by the password mismatch, since the password in the database was encoded using Spring Security's ShaPasswordEncoder with SHA-1 and the salt value which was also saved in the database, compared to CAS which uses Apache Shiro's DefaultHashService. Right now I was thinking of modifying the custom authentication handler so I can use the ShaPasswordEncoder in place of the default implementation, but I am still not quite sure how to do that. Do you guys have any idea how to do that? Or are there other alternative implementations?

[Menno en Erla Avegaart]

Unfortunately, CAS doesn't support the deprecated Spring Security password encoders by default.

The cleanest method would be to construct a jdbcAuthenticationHandlers bean in deployerConfigContext.xml/.groovy with your own password encoder.

IMHO, a far easier method however would be to replace StandardPasswordEncoder with your own implementation that delegates to ShaPasswordEncoder.

Op dinsdag 7 februari 2017 03:48:23 UTC+1 schreef Jihad Talic: