Blank first 401 page with SPNEGO
45 views
Skip to first unread message
Felix Schumacher
Feb 13, 2017, 10:13:47 AM2/13/17
to Cas User
Hi all,
I have configured a simple webapp overlay with ldap and spnego enabled.
When I try to login with a SPNEGO enabled browser (that has no valid
ticket for the configured domain), I get two 401 pages.
The first 401 page is empty except for the header, that is telling the
browser to try SPNEGO for authentication.
The second 401 page has the login page as content together with the
header, that tells the browser to try SPNEGO.
The user can login via ldap and everything is fine.
Now consider the case where we have a browser, that is not SPNEGO
enabled. The browser gets the first (empty) 401 page and finds, that it
has no valid authentication scheme to try. The user is therefore greeted
with an empty page.
Is this a bug, or do I have to specify anything to get the first 401
page have the login page included?
Regards,
Felix
I have configured a simple webapp overlay with ldap and spnego enabled.
When I try to login with a SPNEGO enabled browser (that has no valid
ticket for the configured domain), I get two 401 pages.
The first 401 page is empty except for the header, that is telling the
browser to try SPNEGO for authentication.
The second 401 page has the login page as content together with the
header, that tells the browser to try SPNEGO.
The user can login via ldap and everything is fine.
Now consider the case where we have a browser, that is not SPNEGO
enabled. The browser gets the first (empty) 401 page and finds, that it
has no valid authentication scheme to try. The user is therefore greeted
with an empty page.
Is this a bug, or do I have to specify anything to get the first 401
page have the login page included?
Regards,
Felix
Philippe MARASSE
Feb 13, 2017, 11:28:49 AM2/13/17
to cas-...@apereo.org
Hello,
We have the same problem here, which version of CAS do you use ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
We have the same problem here, which version of CAS do you use ?
Regards.
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Felix Schumacher
Feb 13, 2017, 12:07:56 PM2/13/17
to cas-...@apereo.org
Am 13. Februar 2017 17:28:44 MEZ schrieb 'Philippe MARASSE' via CAS Community <cas-...@apereo.org>:
>Hello,
>
>We have the same problem here, which version of CAS do you use ?
I would have to check tomorrow at work.
Felix
Philippe MARASSE
Feb 13, 2017, 12:45:35 PM2/13/17
to cas-...@apereo.org
Fine, my last attempt was with 5.1-SNAP but it worked with 5.0 also.
I had to overload :
- SpengoWebflowConfigurer (add new end state views)
- SpengoWebflowConfig
- SpnegoNegociateCredentialsAction to modify default behavior
create/ overload html templates for views :
- casSpnegoNegotiateView.html (first 401 view)
- casSpnegoAuthenticationFailureView.html (auth failure view)
- casSpnegoErrorView.html (all other errors view)
Regards.
I had to overload :
- SpengoWebflowConfigurer (add new end state views)
- SpengoWebflowConfig
- SpnegoNegociateCredentialsAction to modify default behavior
create/ overload html templates for views :
- casSpnegoNegotiateView.html (first 401 view)
- casSpnegoAuthenticationFailureView.html (auth failure view)
- casSpnegoErrorView.html (all other errors view)
Regards.
Felix Schumacher
Feb 14, 2017, 9:22:55 AM2/14/17
to cas-...@apereo.org
Am 13.02.2017 18:45, schrieb 'Philippe MARASSE' via CAS Community:
> Fine, my last attempt was with 5.1-SNAP but it worked with 5.0 also.
>
> I had to overload :
> - SpengoWebflowConfigurer (add new end state views)
> - SpengoWebflowConfig
> - SpnegoNegociateCredentialsAction to modify default behavior
>
> create/ overload html templates for views :
> - casSpnegoNegotiateView.html (first 401 view)
> - casSpnegoAuthenticationFailureView.html (auth failure view)
> - casSpnegoErrorView.html (all other errors view)
Thanks for your info, but I found an easier way.
> Fine, my last attempt was with 5.1-SNAP but it worked with 5.0 also.
>
> I had to overload :
> - SpengoWebflowConfigurer (add new end state views)
> - SpengoWebflowConfig
> - SpnegoNegociateCredentialsAction to modify default behavior
>
> create/ overload html templates for views :
> - casSpnegoNegotiateView.html (first 401 view)
> - casSpnegoAuthenticationFailureView.html (auth failure view)
> - casSpnegoErrorView.html (all other errors view)
Put
cas.authn.spnego.mixedModeAuthentication=true
into your cas.properties.
That way the first page will have the login page as the body, even when
the browser is spnego capable
(or what cas thinks are spnego capable browsers) and the browser did not
send an authenticate header.
No special overloading of classes or webflows :)
Regards,
Philippe MARASSE
Feb 15, 2017, 6:13:50 AM2/15/17
to cas-...@apereo.org
If it fits your use case it's perfect.
In our case we want Spnego for all internal accesses so CAS needs to
stop and does not offer login/password if Spnego fails.
Regards.
In our case we want Spnego for all internal accesses so CAS needs to
stop and does not offer login/password if Spnego fails.
Regards.
Reply all
Reply to author
Forward
0 new messages