AUP and X509 authentication

[Curtis Ruck]

I'm trying to configure the aup-webflow and x509-webflow.  It seems that when a user logs in with username/password they hit the aup-webflow, but when a user logs in with x509 it skips the AUP flow.

I don't understand spring webflow, and have no clue what i'm looking for or at, but it seems that either the x509 webflow completely skips aup, or the aup webflow is somehow transitioning past the aup view.

I'm not using an AUP persistence (intentionally), so the AUP already accepted is only kept in memory.

[Andy Ng]

Hi Curtis,

I didn't use either AUP or X509 as my authentication webflow myself, so I won't comment on whether or not either of the authentication have bugs or not.

However, it seems like you might have set the CAS authentication policy to Any (See https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#authentication-policy), 

Any is the default authentication policy in CAS so you might not even realize you have set it to that.

I think you might want to set CAS authentication policy to All, (put "cas.authn.policy.all.enabled=true" into your cas.properties if you are using CAS 5.3.x)

Read this (https://apereo.github.io/cas/5.3.x/installation/Configuring-Authentication-Components.html#authentication-policy) or see below (highly simplified) graph for the difference in CAS authentication policy All vs Any

I am using LDAP and Database as an example, but for your case should be AUP & X509. As you can see set CAS authentication policy to All seems to match your requirement.

See if the above helps you!

Cheers!

-Andy

[Andy Ng]

Hi Curtis,

Please disregard my answer, I was thinking AUP is an authentication method and it is not, ops. Maybe other can help instead. 

- Andy 

[Curtis Ruck]

So, i'm trying to dig into this more.

I remember how this worked in 3.x.  It was just a giant xml file describing state to state transitions.

It appears that somehow I need to one of these:

1) get aup webflow to recognize x509's presence and inject itself there

2) get x509 webflow to recognize aup's presence

3) create new x509 aup webflow when both are present

Now, on trying to understand Cas's usage of webflow.. i've read the blog post https://apereo.github.io/2018/06/19/cas53webflow-extensions/  

So how can i get a map of the existing transitions, so I know where i need to inject a transition from x509check to aup instead of create ticket granting ticket.

[Curtis Ruck]

So I finally solved this... and the resolution, IMHO sucks.

I essentially had to remove the cas-server-support-x509-webflow dependency, and recreate the entire project inside my own extensions, the only change was changing the output of the SUCCESS transition to the verify AUP state, and add an additional dependeny (@DependsOn) to the aup webflow in the Configuration class.

I really really don't like having to copy+paste multiple files, just to make small tweaks.  This is a perfect example in my opinion, where getting rid of the spring xml configuration makes this more difficult.

Now upgrading to CAS 6 will be even more difficult, because I'll have to update all these copied classes to their CAS 6 versions.

[Andy Ng]

Hi Curtis,

> So I finally solved this

Great that you solve it

>  essentially had to remove the cas-server-support-x509-webflow dependency... where getting rid of the spring xml configuration makes this more difficult

There is no need to remove the entire dependency to make small changes, the ability to do small tweaks is still here, just using a different form then spring.xml.

I do not have your source code so I cannot pin point exactly what you did, but I think you have editing something in this file -

"https://github.com/apereo/cas/blob/v5.3.3/support/cas-server-support-x509-webflow/src/main/java/org/apereo/cas/web/flow/X509WebflowConfigurer.java", correct?

If so, you can try the following (Did not tried it yet, might not work out of the box, I am not accountable for the code breaking on you if it breaks ):

1. keep the cas-server-support-x509-webflow dependency , do not need to discard it.

2. spring.factories (src/main/resource/META-INF/spring-factories)

org.springframework.boot.autoconfigure.EnableAutoConfiguration=\

mydomain.com.example.MyDomainX509AuthenticationWebflowConfiguration

3. MyDomainX509AuthenticationWebflowConfiguration.java (src/main/java/yourdomain/MyDomainX509AuthenticationWebflowConfiguration.java)

@Configuration("myDomainX509AuthenticationWebflowConfiguration ")
	@EnableConfigurationProperties(CasConfigurationProperties.class)
	@Slf4j
	public class MyDomainX509AuthenticationWebflowConfiguration implements CasWebflowExecutionPlanConfigurer {
	@Autowired(required = false)
	@Qualifier("loginFlowRegistry")
	private FlowDefinitionRegistry loginFlowDefinitionRegistry;
	@Autowired(required = false)
	private FlowBuilderServices flowBuilderServices;
	@Autowired
	private ApplicationContext applicationContext;
	@Autowired
	private CasConfigurationProperties casProperties;
	@Bean
	@DependsOn("defaultWebflowConfigurer") @DependsOn("YOUR_OWN_DEPENDENCY")
	public CasWebflowConfigurer x509WebflowConfigurer() {
	return new MyDomainX509WebflowConfigurer(flowBuilderServices, loginFlowDefinitionRegistry, applicationContext, casProperties);
	}
	}

4. MyDomainX509WebflowConfigurer.java (src/main/java/yourdomain/MyDomainX509WebflowConfigurer.java)

Edit what you need inside "https://github.com/apereo/cas/blob/v5.3.3/support/cas-server-support-x509-webflow/src/main/java/org/apereo/cas/web/flow/X509WebflowConfigurer.java", you could even use super.doInitialize() to reduce the code needed to be copied.

Then you should be able to edit only the necessary part inside your CAS without replacing the entire project. Is this similar to what you have in mind?

Cheers!

- Andy

[Curtis Ruck]

That is what i tried initially, but the transition from success to create tgt was still happening.  It wasn't until i removed it the , that i could stop that transition, and instead send it to aup.

I believe the reason I couldn't just provide my own x509WebflowConfigurer bean in loo of the default one, is the way that specific Configuration class works.  It implements CasWebflowExecutionPlanConfigurer, and that method calls  x509WebflowConfigurer() which means it doesn't get Autowired in, it gets called directly.

--
Curtis Ruck

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5bb54980-4ae9-4ea2-a5b4-b5031aeaa11d%40apereo.org.

[Andy Ng]

Hi Curtis,

Ah I missed to mention something, 

when you tries to override a Bean inside a Configuration file, whether or not is actually override success depends on the load sequence. Which one load last will be the actual bean to be used.

See: https://stackoverflow.com/questions/11833804/overriding-bean-configuration-in-spring

To make sure your defined bean takes effect, you might need to use the @Import notation.

So you could try out the following:

===========================================================================================

@Configuration("myDomainX509AuthenticationWebflowConfiguration ")

@EnableConfigurationProperties(CasConfigurationProperties.class)

@Slf4j

@Import(X509AuthenticationWebflowConfiguration.class)

public class MyDomainX509AuthenticationWebflowConfiguration implements CasWebflowExecutionPlanConfigurer {

..........

===========================================================================================

If this still doens't work, then maybe you might needs to stick to your solution then...

Cheers!

- Andy

[Colin Wilkinson]

Hi,

I had to do something similar for the Password Management and did not want to recreate everything. So the solution I came up with was to remove the passwordManagementWebflowConfigurer from the execution plan and set the order to one before my configurer and readd the passwordManagementWebflowConfigurer.

It's serious issue and pain that you can set a definite order to the item like these CasWebflowConfigurer that actually rely on the order to execute. This needs to be able to be configured.

I hope this helps.

    @Autowired

    @Qualifier("passwordManagementWebflowConfigurer")

    private CasWebflowConfigurer passwordManagementWebflowConfigurer;

    @Override

    public void configureWebflowExecutionPlan(final CasWebflowExecutionPlan plan) {

        plan.getWebflowConfigurers().removeIf(casWebflowConfigurer -> casWebflowConfigurer.getName().equals(passwordManagementWebflowConfigurer.getName()));

        final int order = Ordered.LOWEST_PRECEDENCE - 100;

        try {

            if (AopUtils.isJdkDynamicProxy(passwordManagementWebflowConfigurer)) {

                ((PasswordManagementWebflowConfigurer) ((Advised) passwordManagementWebflowConfigurer).getTargetSource().getTarget()).setOrder(order);

            } else {

                ((PasswordManagementWebflowConfigurer) passwordManagementWebflowConfigurer).setOrder(order);

            }

        } catch (final Exception exception) {

            LOGGER.error("The following error ocurred during reconfigure of startup sequence.", exception);

        }

        plan.registerWebflowConfigurer(passwordManagementWebflowConfigurer);

        plan.registerWebflowConfigurer(vicUniPasswordManagementWebflowReconfigurer());

    }

[Curtis Ruck]

While that looks like it would address the issue, i believe I will wait as my copy+paste'd solution works now.  I really dislike the arbitrary nature of CAS now, while the xml wasn't easy/fun, i definitely think we've gone backwards now.