Authentication Policies are documented, but do they work?
15 views
Skip to first unread message
cur...@newschool.edu
Jan 16, 2019, 3:23:20 PM1/16/19
to CAS Community
Has anyone figured out how to make Authentication Policies, as documented here:
and here:
actually work? I've been messing around with it for an entire day now, and it seems to me that:
- You cannot DISABLE the "any" policy; you can only enable/disable the "tryAll" option
- You CAN enable the "notPrevented" policy, but you have no way to control what it considers "Prevented"
- You CANNOT enable the "all" or "allHandlers" policies
We're running CAS 5.2.7, but I'll take answers for any version, at this point.
Thanks,
--Dave
Daniel Ellentuck
Jan 16, 2019, 5:53:02 PM1/16/19
to CAS Users
Hi David,
Take a look at: the authentication policy configuration in cas-server-core-authentication:
org.apereo.cas.config.CasCoreAuthenticationPolicyConfiguration and the actual authentication policies in cas-server-core-authentication-api:
org.apereo.cas.authentication.policy and ensure you're clear on what the policies do. If you have a truly custom case, you may have to implement your own authentication policy and add it via the AuthenticationEventExecutionPlanConfigurer. If not, could you describe what behavior you'd like to see and what you've done to effect it?
Take a look at: the authentication policy configuration in cas-server-core-authentication:
org.apereo.cas.config.CasCoreAuthenticationPolicyConfiguration and the actual authentication policies in cas-server-core-authentication-api:
org.apereo.cas.authentication.policy and ensure you're clear on what the policies do. If you have a truly custom case, you may have to implement your own authentication policy and add it via the AuthenticationEventExecutionPlanConfigurer. If not, could you describe what behavior you'd like to see and what you've done to effect it?
(I'm referring to CAS v.5.3.7.)
....
Dan
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org.
David Curry
Jan 17, 2019, 7:41:06 AM1/17/19
to cas-...@apereo.org
Hi Daniel, thanks for your response. I spent a lot of time looking at those. And although it's likely that we will ultimately need to write our own policy or authentication handler, I was wanting to play with the existing ones to see if we could do anything interesting with them.
But I was having difficulty getting them actually enabled with the configuration file lines as described in the documentation. Running at TRACE level in the authentication code, I was always seeing the "any" policy getting run, and the "notPrevented" if it was enabled, but I never saw any of the others getting executed, even if enabled. And the "any" policy seems to run even if you explicitly set "cas.authn.policy.any.enabled=false", which just seems wrong to me.
At the end of the day it may not matter as I don't think the existing things will do what we want, but I haven't seen anything in the forum at all about this stuff except one other unanswered question, so I was wondering if there was anyone out there using it successfully.
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages