CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi,

latest build broke MFA (both gauth and web-authn). I have kept besides a cas.war from august 22nd which is working fine with the exact same build.gradle deps and /etc/cas/config/cas/yml config. One difference is that the new cas.war was compiled and run (external tomcat) with openjdk 21 vs the other one  was compiled and run with openjdk17

DB backend is Redis for everything.

Thanks if anyone could help ...

Regards,

Fred

Here are the deps I'm using :

build.gradle :

    // ### MFA ###

    //MFA TOTP

    implementation "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"

    implementation "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"

    // MFA FIDO2 WEBAUTHN

    implementation "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"

    implementation "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"

    //MFA TRUSTED DEVICE

    implementation "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"

    implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis:

${project.'cas.version'}"

Here is the MFA block in my cas.yml :

    mfa:

      core:

        provider-selection-enabled: true

      gauth:

        core:

          issuer: CASIssuer

          label: Blah

          scratch-codes.encryption.key: blah-blah-blah

        name: OATH Authentification

        crypto:

          encryption:

            key: blah-blah-blah

          signing:

            key: blah-blah-blah

        redis:

          host: localhost

          port: 6379

          username: default

          password: blah-blah-blah

          sentinel:

            node[0]: blah-blah-blah:26379

            node[1]: blah-blah-blah:26379

            node[2]: blah-blah-blah:26379

            master: instancecas

      web-authn:

        core:

          relying-party-id: blah-blah-blah.fr

          relying-party-name: blah-blah-blah

          allowed-origins: blah-blah-blah

          trusted-device-enabled: false

          application-id: blah-blah-blah

        crypto:

          encryption:

            key: blah-blah-blah

          signing:

            key: blah-blah-blah

        redis:

          host: localhost

          port: 6379

          username: default

          password: blah-blah-blah

          sentinel:

            node[0]: blah-blah-blah:26379

            node[1]: blah-blah-blah:26379

            node[2]: blah-blah-blah:26379

            master: instancecas

      trusted:

        core:

          auto-assign-device-name: true

          device-registration-enabled: true

          authentication-context-attribute: isFromTrustedMultifactorAuthentication

        redis:

          host: localhost

          port: 6379

          username: default

          password: blah-blah-blah

          sentinel:

            node[0]: blah-blah-blah:26379

            node[1]: blah-blah-blah:26379

            node[2]: blah-blah-blah:26379

            master: instancecas

        crypto:

          enabled: true

          signing:

            key: blah-blah-blah

          encryption:

            key: blah-blah-blah

        device-fingerprint:

          cookie:

            crypto:

              enabled: true

              signing:

                key: blah-blah-blah

              encryption:

                key: blah-blah-blah

And the stacktrace :

2023-10-13 11:19:17,196 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://blah-blah-blah:9447/protected]>

2023-10-13 11:19:17,196 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [https://blah-blah-blah] with id [48] in context scope>

2023-10-13 11:19:17,197 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [Service Test Bootiful]>

2023-10-13 11:19:17,197 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>

2023-10-13 11:19:27,246 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@4fcf6be1]>

2023-10-13 11:19:27,250 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@dacb3f2]>

2023-10-13 11:19:27,260 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Request is not eligible to be issued service tickets just yet>

2023-10-13 11:19:27,276 WARN [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - <No person records were fetched from attribute repositories for [{principal=frederic.dussurget, blah blah, username=frederic.dussurget, service=https://blah-blah-blah:9447/protected}]>

2023-10-13 11:19:27,280 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <Name is null>

java.lang.NullPointerException: Name is null

        at java.lang.Enum.valueOf(Enum.java:291) ~[?:?]

        at org.apereo.services.persondir.util.CaseCanonicalizationMode.valueOf(CaseCanonicalizationMode.java:26) ~[person-directory-impl-3.0.1.jar:?]

        at org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy.returnFinalAttributesCollection(AbstractRegisteredServiceAttributeReleasePolicy.java:250) ~[cas-server-core-authentication-attributes-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy.getAttributes(AbstractRegisteredServiceAttributeReleasePolicy.java:134) ~[cas-server-core-authentication-attributes-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver.determineRegisteredServiceForEvent(DefaultCasDelegatingWebflowEventResolver.java:180) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver.resolveInternal(DefaultCasDelegatingWebflowEventResolver.java:82) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver.resolve(AbstractCasWebflowEventResolver.java:48) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver.resolveSingle(AbstractCasWebflowEventResolver.java:53) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.actions.AbstractAuthenticationAction.lambda$doExecuteInternal$0(AbstractAuthenticationAction.java:63) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.jooq.lambda.Unchecked.lambda$supplier$38(Unchecked.java:1695) ~[jool-0.9.15.jar:?]

        at org.apereo.cas.util.function.FunctionUtils.doUnchecked(FunctionUtils.java:449) ~[cas-server-core-util-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.actions.AbstractAuthenticationAction.doExecuteInternal(AbstractAuthenticationAction.java:41) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apereo.cas.web.flow.actions.BaseCasWebflowAction.doExecute(BaseCasWebflowAction.java:38) ~[cas-server-core-webflow-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.ViewState.handleEvent(ViewState.java:231) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.ViewState.resume(ViewState.java:195) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.Flow.resume(Flow.java:537) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:259) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:254) ~[spring-webflow-3.0.0.jar:3.0.0]

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1086) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:979) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:914) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

        at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590) ~[servlet-api.jar:6.0]

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

        at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[servlet-api.jar:6.0]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-websocket.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.web.servlet.resource.ResourceUrlEncodingFilter.doFilter(ResourceUrlEncodingFilter.java:66) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:391) ~[cas-server-core-web-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:177) ~[cas-server-core-web-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62) ~[cas-server-core-web-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.boot.actuate.web.exchanges.servlet.HttpExchangesFilter.doFilterInternal(HttpExchangesFilter.java:89) ~[spring-boot-actuator-3.2.0-M3.jar:3.2.0-M3]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$FilterObservation$SimpleFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:479) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:340) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator.lambda$wrapSecured$0(ObservationFilterChainDecorator.java:82) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:128) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:168) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:75) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:133) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:95) ~[cas-server-core-logging-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:124) ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]

        at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:99) ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:117) ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.0-M5.jar:6.1.0-M5]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.0-M3.jar:6.2.0-M3]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:55) ~[cas-server-core-audit-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-jakarta-web-2.20.0.jar:2.20.0]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:10.1.9]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[catalina.jar:10.1.9]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:10.1.9]

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:676) ~[catalina.jar:10.1.9]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:10.1.9]

        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:738) ~[catalina.jar:10.1.9]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341) ~[catalina.jar:10.1.9]

        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-coyote.jar:10.1.9]

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:10.1.9]

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894) ~[tomcat-coyote.jar:10.1.9]

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-coyote.jar:10.1.9]

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:10.1.9]

        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:10.1.9]

        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:10.1.9]

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:10.1.9]

        at java.lang.Thread.run(Thread.java:1583) [?:?]

2023-10-13 11:19:27,280 DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <Authentication request failed with [401], resulting in event [error]>

2023-10-13 11:19:27,280 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [error] via [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] for this context>

[Ray Bon]

Frédéric,

Are there any error messages in the logs?

Ray

On Fri, 2023-10-13 at 06:26 -0700, Frédéric Dussurget wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

2023-10-13 11:19:17,197 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],excludedAuthenticationHandlers=[],criteria=null)] for [Service Test Bootiful]>

2023-10-13 11:19:17,197 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>

2023-10-13 11:19:27,246 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@4fcf6be1]>

2023-10-13 11:19:27,250 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@dacb3f2]>

2023-10-13 11:19:27,260 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Request is not eligible to be issued service tickets just yet>

2023-10-13 11:19:27,276 WARN [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - <No person records were fetched from attribute repositories for [{principal=frederic.dussurget, blah blah, username=frederic.dussurget,service=https://blah-blah-blah:9447/protected}]>

[Frédéric Dussurget]

Hi Ray,

thank you very much for your help. There are no ERROR message except this DEBUG error 401 message at the very end :

2023-10-17 12:28:46,419 DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <Authentication request failed with [401], resulting in event [error]>
2023-10-17 12:28:46,419 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [error] via [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] for this context>

For more information, you'll find below  the service I used (but it is exactly the same as the one I used in august 2nd) ...

Best regards,

    {

      "@class": "org.apereo.cas.services.CasRegisteredService",

      "serviceId": "https://(testserver([123])|cas-pp)(.subdomain|).myuniversity.fr:944([678]).*",

      "name": "Service Test Bootiful",

      "id": 48,

      "description": "Service de test Bootiful port 9446/7/8 MFA gauth/webauthn",

      "evaluationOrder": 48,

      "attributeReleasePolicy": {

        "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

        "canonicalizationMode": null,

        "allowedAttributes": [

          "java.util.ArrayList",

          [

            "displayname mail blah givenname"

          ]

        ]

      },

      "logo": "https://cas.myuniversity.fr/logo.svg",

      "accessStrategy": {

        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

        "requireAllAttributes": false,

        "requiredAttributes": {

          "@class": "java.util.LinkedHashMap",

          "memberOf": [

            "java.util.HashSet",

            [

              "OU=blahblah",

              "OU=blahblah",

              "DC=blahblah",

              "DC=myuniversity",

              "CN=casmanagers",

              "DC=fr"

            ]

          ]

        }

      },

[Frédéric Dussurget]

Hi
For further investigations, I flushed the redis db (just kept my 3 services)
For both MFA provider (gauth and web-authn) I'm being asked to register my devices. (It wasn't the cas before flushing the db, after login/pwd authentication I falled back immediatly on the same login form.)
So I guess, the devices I registered on the end of august are stored in a format that is just no more compatible with the newer builds ?

(Note that the mfa slector menu is back from this morning cas-overlay-template build)

But, that still does'nt work, I have the failure popup : "Unable to accept this token. The given token is invalid, does not belong to the device or has expired."

Here are errors in the browsers (tested in FF and Chrome) consoles :

About gauth attempt :

jquery.min.js:2
       
       
       POST https://casblah-myuniversity.fr/cas/mfa-gauth 401 (Unauthorized)
send @ jquery.min.js:2
ajax @ jquery.min.js:2
ce.<computed> @ jquery.min.js:2
(anonymous) @ login?service=https%3A%2F%2Fblah.blah.blah%3A9447%2Fprotected:351

maybe here -> [...]try{r.send(i.hasContent&&i.data||null)}catch(e){if(o)throw [...]


About web-authn attempt :

login:6
       
       
       GET https:// asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding-indexes.js net::ERR_ABORTED 403 (Forbidden)
login:14
       
       
       GET https:// asblah-myuniversity.fr /cas/js/webauthn/webauthn.js net::ERR_ABORTED 403 (Forbidden)
login:8
       
       
       GET https:// asblah-myuniversity.fr /cas/webjars/base64-js/1.5.1/base64js.min.js net::ERR_ABORTED 403 (Forbidden)
login:7
       
       
       GET https:// asblah-myuniversity.fr/cas/webjars/whatwg-fetch/3.6.2/dist/fetch.umd.js net::ERR_ABORTED 403 (Forbidden)
login:5
       
       
       GET https:// asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding.js net::ERR_ABORTED 403 (Forbidden)


login:389 Uncaught ReferenceError: register is not defined
    at HTMLButtonElement.<anonymous> (login:389:17)



That may has something to deal with spring security but, I did not change anything since august. Here are my ACLs :


  monitor:
    endpoints:
      endpoint:
        defaults:
          access: AUTHENTICATED
        health:
          access: IP_ADDRESS
          requiredIpAddresses: blah blah blah
        registeredServices:
          access: IP_ADDRESS
          requiredIpAddresses: blah blah blah
        importRegisteredServices:
          access: IP_ADDRESS
          requiredIpAddresses: blah blah blah
        multiFactorTrustedDevices:
          access: IP_ADDRESS
          requiredIpAddresses:  blah blah blah

management:
  endpoints:
    web:
      exposure:
        include: '*'
    enabled-by-default: true

[Frédéric Dussurget]

Hi all,

update : webauthn mfa now works (today's cas-overlay-template build) ... which is great.

But I still have an issue with mfa-gauth when I try to register my device (when submitting the OTP from gauth compliant app) :

jquery.min.js:2
POST https://cas-pp.universite-lyon.fr/cas/mfa-gauth 401 (Unauthorized)

send @ jquery.min.js:2
ajax @ jquery.min.js:2
ce.<computed> @ jquery.min.js:2

(anonymous) @ login:261

[Javi Finarfin]

For the record, it looks like it needs a service parameter, but I´m yet receiving a 403

[Javi Finarfin]

> For the record, it looks like it needs a service parameter, but I´m yet receiving a 403

This yet I don't know if it's necessary

Because it was a security problem, while debugging I added the endpoint manually here: org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity) 

With that, there was no 403, but I get a 500 instead: 

> 2023-11-02 15:44:19,366 TRACE [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]>

2023-11-02 15:44:19,366 ERROR [org.apereo.cas.web.support.filters.AbstractSecurityFilter] - <No adapter for handler [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The DispatcherServlet configuration needs to include a HandlerAdapter that supports this handler>
jakarta.servlet.ServletException: No adapter for handler [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The DispatcherServlet configuration needs to include a HandlerAdapter that supports this handler
at org.springframework.web.servlet.DispatcherServlet.getHandlerAdapter(DispatcherServlet.java:1321) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1069) ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]

[Frédéric Dussurget]

Hi Javi,

how do you "add" this endpoint ? through your service ? or do you mean in the  cas.monitor.endpoints.endpoint section of your cas properties ?

Thanks a lot ...

Fred

[Javi Finarfin]

Live debugging... 

[Javi Finarfin]

I guess you can always overwrite org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity)

[Frédéric Dussurget]

Hi Javi,

I also tried to add manually the endpoint in https://github.com/apereo/cas/blob/master/support/cas-server-support-webconfig/src/main/java/org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.java

... and I also get the same 500 error as you had.

Have you managed to go a little bit further ?

Regards

[Javi Finarfin]

Im afraid we hadn't make progress

[Javi Finarfin]

Did you get a different result with https://github.com/apereo/cas/releases/tag/v7.0.0-RC9 ?

[Frédéric Dussurget]

Nope, I still have the same 401 on /cas/mfa-gauth ...

same effect with gradle.properties setting 7.0.0-SNAPSHOT or 7.0.0-RC9

Are you still stuck too ?

regards,

[Javi Finarfin]

I'm afraid so we have moved past this feature for now