CAS 7.0 - "Delegated Authentication Failure" even though no delegation is triggered

[Petr Bodnár]

Hello,

after configuring delegated authentication in CAS 7.0.6, we are getting incorrect error page "Delegated Authentication Failure" instead of "Application Not Authorized to Use CAS" when supplying wrong "service" to the CAS login page.

As this service check and error handling happens in CAS servlet filter, even the Groovy script set in "cas.authn.pac4j.core.groovy-redirection-strategy.location" isn't called (it would say "no" to delegated authentication in this case anyway). Yet, we can also see this misleading line in the CAS log:

2025-10-15 18:22:09,372 DEBUG ... [org.apereo.cas.web.flow.error.DefaultDelegatedClientAuthenticationFailureEvaluator] Delegation request has failed. Details are [{code=500}]

It seems like the problem is caused by delegatedAuthenticationErrorViewResolver being always executed before defaultMappedExceptionErrorViewResolver, while both are mapped to the UnauthorizedServiceException thrown from the filter. Moreover, the DefaultDelegatedClientAuthenticationFailureEvaluator is being called unconditionally, even if the error view gets found based on the aforementioned exception => therefore the log line appears above.

Is it possible that this is fixed in a newer CAS version? From a quick peek into the master branch code, the core logic of the resolvers still looks the same...

Best regards

Petr