How force cas to examine credential for service to named handler ,when user has perm inide both handlers and diff pass?

[artur miś]

I think i'm  rewriting my last post i really appologize for that folks ,  mayby  with better guestion.Please folks don't kill me.

env:Cas-overlay  6.3.x

At the begining i would like ask you  how cas start examine   handlers ,  is it   random   or detretministic way from which  handler cas start  when the  user  post  credential to cas ?

I  dont know if  i well understood.I understood  that is deterministic way  but  i cannot see this  ) i have sometimes everest  sometimes rysy  after restart cas )  , mayby order number  in handlers  if we put in cas.propierties  that do this . But for serwis  how to start  examine credential  from  which handler  we want ? . The order in cas.propierties doesnt llook like well becouse for one service  you want have  one order ofr te secend service  another order  so it is stupid probably.

I  am asking about it  becouse   if  web user / or curl api client tests service ,

 cas  can start examine  from  one of  the  2  handlers i have,  sometimes from  first hander  sometimes from second handler ( after restart cas) . I  have had policy lik tryALL  = false/true .   If it started from everest_365  like bellow   and user has right in this handler (everest_365)

I believed  that tryALL doesnt  work  if  one handler didnt given  success    of auth for user becouse of policy.I seem i works in difrent way.

[ configuration

cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false

"authenticationPolicy": {
        "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" ]],
        "criteria": {
            "tryAll": false,
            "@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
        },
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
    },

]

, i  this case  cas didn't try  to  examine other  handlers like rysy .,bcouse  athentication is successed probably .  Could  anyboody confirm ? And how to avoid to get  deticated hander working while user has right in both handlers. Second  hndlerd  i would like to  use for other service. 

I thing that trayALL=true/false doesnt matter. It is look like now work

For test purposes i have only 2 AD handlers : rysy ,everest_365, and user=kowalski.

Kowalski has right in rysy and everest_365  but  i would like to auth kowalski only via  rysy to service even if kowalski has right in everest_365

So How to force cas to start examination handler from rysy .I don't know even if it is possible nowaday .

  ____  _____    _    ______   __
 |  _ \| ____|  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V /
 |  _ <| |___ / ___ \| |_| || |
 |_| \_\_____/_/   \_\____/ |_|

>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <>
2021-12-09 12:29:06,575 INFO [org.apereo.cas.web.CasWebApplication] - <Ready to process requests @ [2021-12-09T12:29:06.575Z]>
2021-12-09 12:29:06,986 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s) from [JsonServiceRegistry].>
2021-12-09 12:29:09,999 INFO [org.springframework.web.servlet.DispatcherServlet] - <Initializing Servlet 'dispatcherServlet'>
2021-12-09 12:29:10,026 INFO [org.springframework.web.servlet.DispatcherServlet] - <Completed initialization in 27 ms>
2021-12-09 12:29:10,226 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication credentials provided for this transaction are [[UsernamePasswordCredential(username=kowalski, source=null, customFields={})]]>
2021-12-09 12:29:10,229 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Candidate/Registered authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34, org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,229 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers for this transaction are [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,231 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead...>
2021-12-09 12:29:10,232 DEBUG [org.apereo.cas.authentication.AuthenticationHandlerResolver] - <Default authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,everest_365,rysy]>

<---

Here i dont undersand why def handlers are both  everest and rysy ?

I have only rysy  for service in "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "rysy" ]]

2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Resolved and finalized authentication handlers to carry out this authentication transaction are [[org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver@6a97517]]>
2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Candidate resolved authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@389a1e34, org.apereo.cas.authentication.LdapAuthenticationHandler@720c8f80, org.apereo.cas.authentication.LdapAuthenticationHandler@8b89b3a]]>
2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting to authenticate credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]>
2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does not support the credential type [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]. Trying next...>
2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Examining credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})] eligibility for authentication handler [everest_365]>
2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})] eligibility is [everest_365] for authentication handler [true]>
2021-12-09 12:29:10,233 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attempting authentication of [kowalski] using [everest_365]>
2021-12-09 12:29:15,421 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Transforming credential username via [org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]>
2021-12-09 12:29:15,422 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to encode credential password via [org.springframework.security.crypto.password.NoOpPasswordEncoder] for [kowalski]>
2021-12-09 12:29:15,422 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]>
2021-12-09 12:29:15,422 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [UsernamePasswordCredential(username=kowalski, source=null, customFields={})]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[sAMAccountName, displayName, givenName, otherMailbox, cn, sn]]>

2021-12-09 12:29:15,785 DEBUG [org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory] - <Required authentication handlers for this service [Test] are [[rysy]]>

2021-12-09 14:13:06,703 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: kowalski
WHAT: https://example.org/pz
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: ******
SERVER IP ADDRESS: ******
=============================================================

>
2021-12-09 14:13:06,704 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: kowalski
WHAT: org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException
ACTION: REST_API_SERVICE_TICKET_FAILED
APPLICATION: CAS
WHEN: Thu Dec 09 14:13:06 GMT 2021
CLIENT IP ADDRESS: *****
SERVER IP ADDRESS: *****
=============================================================

>
2021-12-09 14:13:06,705 ERROR [org.apereo.cas.support.rest.resources.ServiceTicketResource] - <UnsatisfiedAuthenticationPolicyException>
org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException: null
        at org.apereo.cas.AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy(AbstractCentralAuthenticationService.java:184) ~[cas-server-core-6.3.2.jar!/:6.3.2]
        at org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket(DefaultCentralAuthenticationService.java:109) ~[cas-server-core-6.3.2.jar!/:6.3.2]
        at org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>) ~[cas-server-core-6.3.2.jar!/:6.3.2]
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]

etc

Regards.

[Ray Bon]

Artur,

By default cas will try each of the authentication handlers until one succeeds, starting with the first one (0, 1, 2, ...).

I would expect that if you identify one by name, it should use that one.

Is the '3' a typo in your properties or do you have 4 authenticators?

cas.authn.ldap[1].name=rysy

...

cas.authn.ldap[3].name=ppm

Sorry I could not be more help.

Ray

On Thu, 2021-12-09 at 06:56 -0800, artur miś wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[artur miś]

Ray,

  Dear Buddy i would like say very  thank you anyway.

For this  topic i prepared only two handlers  to have  such easy case as possible to analize.

cas.authn.ldap[0].name=rysy
cas.authn.ldap[1].name=everest_365

Normaly in prodo  i have 3 handlers  and realy a almost give up with dedickated handlers for service  - i will do  auth not dedicated service -handler  and later  programers/admin  of  www services  must take care of  other policy  after auth or during auth . I think there  (in cas ) is smth wrong or i missed smthg  in workng flow.In the other side im not very familiar with cas to write script  in groovy to manage  it  and quantity of  examples and cese of use are not enough on websites  . 

-- 

AM