CAS 6.2.0 SurrogateAuthenticationException not handled correctly

[Robert Li]

Hi,

When testing with function of to surrogate to users not authorized, CAS gets below error.  Normal surrogate function works. 

CAS is unable to process this request: "500:Internal Server Error"

It failed to display the error message with is set up in the message.properties:

authenticationFailure.SurrogateAuthenticationException=You are not authorized to impersonate the indicated user at this time.

Stack trace is:

2020-07-17 20:52:11,523 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown executing org.apereo.cas.web.flow.action.LoadSurrogatesListAction@18ebab7c in state 'loadSurrogatesAction' of flow 'login' -- action execution attributes were 'map[[empty]]']>

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.action.LoadSurrogatesListAction@18ebab7c in state 'loadSurrogatesAction' of flow 'login' -- action execution attributes were 'map[[empty]]'

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]

        at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]

 ....

Caused by: org.apereo.cas.authentication.SurrogateAuthenticationException: Unable to authorize surrogate authentication request for XXXX

        at org.apereo.cas.authentication.SurrogatePrincipalBuilder.buildSurrogateAuthenticationResult(SurrogatePrincipalBuilder.java:90) ~[cas-server-support-surrogate-authentication-6.2.0.jar:6.2.0]

        at org.apereo.cas.web.flow.action.LoadSurrogatesListAction.doExecute(LoadSurrogatesListAction.java:50) ~[cas-server-support-surrogate-webflow-6.2.0.jar:6.2.0]

When checked CAS code more closely, it throwed SurrogateAuthenticationException correctly, but the exception was not handled properly. 

And the audit log displayed AUTHENTICATION_SUCCESS, but the login actually failed.

2020-07-17 20:52:10,583 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: (Primary User: [XXXX], Surrogate User: [XXXX])

WHAT: Supplied credentials: [SurrogateUsernamePasswordCredential(super=RememberMeUsernamePasswordCredential(super=UsernamePasswordCredential(username=XXXX , source=null, customFields={}), rememberMe=false), surrogateUsername=XXXX)]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Fri Jul 17 20:52:10 AEST 2020

CLIENT IP ADDRESS: XXXX

SERVER IP ADDRESS: XXXX

=============================================================

Appreciated your help.