CAS 5.2.3 - Spnego evaluateClientRequest
96 views
Skip to first unread message
Arnaud N.
Mar 8, 2018, 7:19:46 AM3/8/18
to CAS Community
Hello everyone,
However, i don't understand how CAS makes the transition toward the EVALUATE_SPNEGO_CLIENT state, i tried looking for a transition in the code but i could'nt find any.
And it worked ok as far as the "evaluate" part goes, i could see in the log the HostNameSpnegoKnownClientSystemsFilterAction class working to decide if my request should be authenticated with spnego or CAS.
And now everything is working.
I have succesfully configured CAS 5.2.3 to work with CAS and Spnego/kerberos, but i was not able to restrict spnego on certain ip/hostname.
I looked into the code and i found this class : SpengoWebflowConfigurer with the action "evaluateClientRequest" (which is described in the configuration here : client-selection-strategy).
I tried to set the parameter cas.authn.spnego.hostNameClientActionStrategy to hostnameSpnegoClientAction without success so i removed it since its default value is "hostnameSpnegoClientAction"
I have a poor understanding of spring webflow but i figured out that this method is supposed to trigger the "evaluateClientRequest" action (configured in getHostNameClientActionStrategy)
private void createEvaluateSpnegoClientAction(final Flow flow) { final ActionState evaluateClientRequest = createActionState(flow, EVALUATE_SPNEGO_CLIENT, createEvaluateAction(casProperties.getAuthn().getSpnego().getHostNameClientActionStrategy())); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES, START_SPNEGO_AUTHENTICATE)); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO, getStartState(flow))); }However, i don't understand how CAS makes the transition toward the EVALUATE_SPNEGO_CLIENT state, i tried looking for a transition in the code but i could'nt find any.
So i copied this class in my overlay project and made a few changes.
First i tried this :
private void augmentWebflowToStartSpnego(final Flow flow) { final ActionState state = getState(flow, CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class); createTransitionForState(state, CasWebflowConstants.TRANSITION_ID_SUCCESS, EVALUATE_SPNEGO_CLIENT, true); }And it worked ok as far as the "evaluate" part goes, i could see in the log the HostNameSpnegoKnownClientSystemsFilterAction class working to decide if my request should be authenticated with spnego or CAS.
But then the webflow entered a loop and ended up with a stackoverflow exception.
So i changed this :
private void createEvaluateSpnegoClientAction(final Flow flow) { final ActionState evaluateClientRequest = createActionState(flow, EVALUATE_SPNEGO_CLIENT, createEvaluateAction(casProperties.getAuthn().getSpnego().getHostNameClientActionStrategy())); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES, START_SPNEGO_AUTHENTICATE)); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO, CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM)); }My questions are :
- Since V 5.1.x the CAS documentation skip this step on webflow configuration : spnego webflow configuration (from 5.0.x), is it on purpose ? does this mean that the webflow should configure itself regarding the client request evaluation? if so i have done something wrong ? (i am clueless here, i have the feeling that modifying the class SpengoWebflowConfigurer to make it work is somehow a bad practice ... )
- If what i did is right, why not make it the default behavior and set these default values : hostNamePatternString =".+" (already the case) and ipsToCheckPattern=".+" which would trigger Spnego authentication for every request (if i am right) ...
Arnaud
Arnaud N.
Mar 8, 2018, 8:22:13 AM3/8/18
to CAS Community
I realise that my first sentence is not very clear :
"I have succesfully configured CAS 5.2.3 to work with CAS and Spnego/kerberos, but i was not able to restrict spnego on certain ip/hostname."
=> what i want to do is configure CAS to authenticate users by login/password OR spnego depending on the service they want to use.
Arnaud N.
Mar 8, 2018, 11:49:08 AM3/8/18
to CAS Community
Hello,
turns out there is a simple way of doing what i want, it is detailed here : Configuring-Service-Required-AuthN
if i want to trigger spnego for a specific service i just have to add this line in the service definition (ex with JSON) :
"requiredHandlers" : [ "java.util.HashSet", [ "JcifsSpnegoAuthenticationHandler" ] ],
Reply all
Reply to author
Forward
0 new messages