Workflow for SPNEGO partly broken with 5.0.0-RC3
56 views
Skip to first unread message
Felix Schumacher
Oct 5, 2016, 6:40:03 AM10/5/16
to Cas User
Hi all,
I have updated my test environment from 5.0.0-RC2 to 5.0.0-RC3 and
noticed, that the SPNEGO workflow is broken, when a wrong kerberos
ticket is send.
With RC2 I got the LDAP backed Login form, while RC3 shows me an error
page with the following error snippet on it:
Error: No transition was matched on the event(s) signaled by the [1]
action(s) that executed in this action state 'spnego' of flow 'login';
transitions must be defined to handle action result outcomes -- possible
flow configuration error? Note: the eventIds signaled were:
'array<String>['authenticationFailure']', while the supported set of
transitional criteria for this action state is
'array<TransitionCriteria>[success, error]'
The browser gets the first 401 response as it should and responds with a
request containing the Negotiate header. That triggers the 500 response
with the snippet above.
If I call the login webflow with a browser, that is not issuing kerberos
tickets, I can use the login form successfully.
If I call the login webflow with a correct kerberos ticket, I get logged
in OK, too.
My workflows only modification is:
@@ -25,7 +25,7 @@
<action-state id="initializeLoginForm">
<evaluate expression="initializeLoginAction" />
- <transition on="success" to="startSpnegoAuthenticate"/>
+ <transition on="success" to="viewLoginForm"/>
</action-state>
<view-state id="viewLoginForm" view="casLoginView"
model="credential">
Any ideas?
Felix
I have updated my test environment from 5.0.0-RC2 to 5.0.0-RC3 and
noticed, that the SPNEGO workflow is broken, when a wrong kerberos
ticket is send.
With RC2 I got the LDAP backed Login form, while RC3 shows me an error
page with the following error snippet on it:
Error: No transition was matched on the event(s) signaled by the [1]
action(s) that executed in this action state 'spnego' of flow 'login';
transitions must be defined to handle action result outcomes -- possible
flow configuration error? Note: the eventIds signaled were:
'array<String>['authenticationFailure']', while the supported set of
transitional criteria for this action state is
'array<TransitionCriteria>[success, error]'
The browser gets the first 401 response as it should and responds with a
request containing the Negotiate header. That triggers the 500 response
with the snippet above.
If I call the login webflow with a browser, that is not issuing kerberos
tickets, I can use the login form successfully.
If I call the login webflow with a correct kerberos ticket, I get logged
in OK, too.
My workflows only modification is:
@@ -25,7 +25,7 @@
<action-state id="initializeLoginForm">
<evaluate expression="initializeLoginAction" />
- <transition on="success" to="startSpnegoAuthenticate"/>
+ <transition on="success" to="viewLoginForm"/>
</action-state>
<view-state id="viewLoginForm" view="casLoginView"
model="credential">
Any ideas?
Felix
Philippe MARASSE
Oct 5, 2016, 8:07:18 AM10/5/16
to cas-...@apereo.org
Hi,
Flow processing complains about a missing "authenticationFailure"
transition, I suspect that's a side effect of a recent modification made
to get SPENGO working with MFA (Yubikey in our test case).
As SPNEGO transition is no more handled in XML file, I think you need a
change in Configuration class.
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Flow processing complains about a missing "authenticationFailure"
transition, I suspect that's a side effect of a recent modification made
to get SPENGO working with MFA (Yubikey in our test case).
As SPNEGO transition is no more handled in XML file, I think you need a
change in Configuration class.
Regards.
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Misagh Moayyed
Oct 6, 2016, 7:22:44 AM10/6/16
to cas-...@apereo.org, Philippe MARASSE
Looks like a bug also. File, and please include full web flow logs.
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c5aee78-49df-d197-fa2b-48933d86dc30%40ch-poitiers.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Philippe MARASSE
Oct 7, 2016, 9:13:48 AM10/7/16
to cas-...@apereo.org
Faster than light ! It seems that you've already fixed that
transition (commit c8b80250bdbbcc4e7435c4831500597681bf7b78 )
Thank you.
Regards.
Thank you.
Regards.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f633fc.2cfad819.2cbc%40gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Reply all
Reply to author
Forward
0 new messages