global-principal-attribute-predicate not evaluated by cas
27 views
Skip to first unread message
Frédéric Dussurget
Feb 13, 2026, 10:25:20 AM (13 days ago) Feb 13
to CAS Community
Context Cas 7.3.4/Redis 8 for tickets,services and mfa devices
Hi,
I would like to try the trigger defined here : https://apereo.github.io/cas/7.3.x/mfa/Configuring-Multifactor-Authentication-Triggers-Global-PrincipalAttribute-Predicate.html.
I've set this :
cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location: file:/etc/cas/config/mfa_predicate.groovy
Some of the deps I used to compile :
//MFA TOTP
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-core"
implementation "org.apereo.cas:cas-server-support-gauth-core-mfa"
implementation "org.apereo.cas:cas-server-support-gauth-redis"
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
implementation "org.apereo.cas:cas-server-support-redis-authentication"
implementation "org.apereo.cas:cas-server-support-redis-core"
// GROOVY SCRIPTING
implementation "org.apereo.cas:cas-server-core-scripting"
For info, the content of the groovy script /etc/cas/config/mfa_predicate.groovy is below, but anyway, it does not seem to be read
import org.apereo.cas.authentication.*
import java.util.function.*
import org.apereo.cas.services.*
class PredicateExample implements Predicate<MultifactorAuthenticationProvider> {
def service
def principal
def providers
def logger
public PredicateExample(service, principal, providers, logger) {
this.service = service
this.principal = principal
this.providers = providers
this.logger = logger
}
@Override
boolean test(final MultifactorAuthenticationProvider p) {
logger.info("Testing provider {}", p.getId())
if (p.matches("mfa-gauth")) {
logger.info("Provider {} is available. Checking eligibility...", p.getId())
if (p.isAvailable(this.service)) {
logger.info("Provider {} matched. Good to go!", p.getId())
return true;
}
logger.info("Skipping provider {}. Match failed.", p.getId())
return false;
}
logger.info("Provider {} cannot be reached", p.getId())
return false
}
}
Hi,
I would like to try the trigger defined here : https://apereo.github.io/cas/7.3.x/mfa/Configuring-Multifactor-Authentication-Triggers-Global-PrincipalAttribute-Predicate.html.
I've set this :
cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location: file:/etc/cas/config/mfa_predicate.groovy
But … this script is not evaluated when starting the webapp or in the authentication flow ...
Nothing in the logs.
All other groovies are being evaluated in my context such as cas.authn.mfa.groovy-script.location, cas.authn.mfa.gauth.bypass.groovy.location, etc. without any problem.
Did I miss Something ?Some of the deps I used to compile :
//MFA TOTP
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-core"
implementation "org.apereo.cas:cas-server-support-gauth-core-mfa"
implementation "org.apereo.cas:cas-server-support-gauth-redis"
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
implementation "org.apereo.cas:cas-server-support-redis-authentication"
implementation "org.apereo.cas:cas-server-support-redis-core"
// GROOVY SCRIPTING
implementation "org.apereo.cas:cas-server-core-scripting"
For info, the content of the groovy script /etc/cas/config/mfa_predicate.groovy is below, but anyway, it does not seem to be read
import org.apereo.cas.authentication.*
import java.util.function.*
import org.apereo.cas.services.*
class PredicateExample implements Predicate<MultifactorAuthenticationProvider> {
def service
def principal
def providers
def logger
public PredicateExample(service, principal, providers, logger) {
this.service = service
this.principal = principal
this.providers = providers
this.logger = logger
}
@Override
boolean test(final MultifactorAuthenticationProvider p) {
logger.info("Testing provider {}", p.getId())
if (p.matches("mfa-gauth")) {
logger.info("Provider {} is available. Checking eligibility...", p.getId())
if (p.isAvailable(this.service)) {
logger.info("Provider {} matched. Good to go!", p.getId())
return true;
}
logger.info("Skipping provider {}. Match failed.", p.getId())
return false;
}
logger.info("Provider {} cannot be reached", p.getId())
return false
}
}
Reply all
Reply to author
Forward
0 new messages