Disable HttpBasedServiceCredentialsAuthenticationHandler? CAS 5.2.3

37 views
Skip to first unread message

Mr Rao

unread,
Jan 7, 2019, 8:06:30 PM1/7/19
to CAS Community
Hi,

When I debug PolicyBasedAuthenticationManager.authenticateInternal  I did noticed three authentication handlers.
1) My Custom AuthenticationHandler
2 ) ClientAuthenticationHandler 
3 ) HttpBasedServiceCredentialsAuthenticationHandler 

I'm only using my customer handler and ClientAuthenticationHandler.  I do not see #3.  How do I turn off HttpBasedServiceCredentialsAuthenticationHandler  completely?  I'm worried that hackers can send HttpClientCredential to get access to the system.


Also I did notice that PolicyBasedAuthenticationManager has log.error when we enter bad password which I also want suppress this logging.

Thanks
Rao

Ray Bon

unread,
Jan 8, 2019, 11:53:47 AM1/8/19
to cas-...@apereo.org
Rao,

For the last item, you can filter log messages. e.g.
        <!-- DEBUG Created seed map='{username=[loginname]}' for uid='loginname' -->
        <AsyncLogger name="org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl" level="warn" includeLocation="true">
            <RegexFilter regex="Created seed map=.*" onMismatch="DENY" />
        </AsyncLogger>


Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Mr Rao

unread,
Jan 8, 2019, 12:17:56 PM1/8/19
to CAS Community
Thanks, Ray. If I set log level to warn I will lose the errors. Basically I was referring to below code which doesn't need to be log.error.



protected AuthenticationBuilder authenticateInternal(final AuthenticationTransaction transaction) throws AuthenticationException {
    final Collection<Credential> credentials = transaction.getCredentials();
    final AuthenticationBuilder builder = new DefaultAuthenticationBuilder(NullPrincipal.getInstance());
    credentials.stream().forEach(cred -> builder.addCredential(new BasicCredentialMetaData(cred)));

    final Set<AuthenticationHandler> handlerSet = getAuthenticationHandlersForThisTransaction(transaction);
    Assert.notNull(handlerSet, "Resolved authentication handlers for this transaction cannot be null");
    if (handlerSet.isEmpty()) {
        LOGGER.warn("Resolved authentication handlers for this transaction are empty");
    }

    final boolean success = credentials
            .stream()
            .anyMatch(credential -> {
                final boolean isSatisfied = handlerSet
                        .stream()
                        .filter(handler -> handler.supports(credential))
                        .anyMatch(handler -> {
                            try {
                                final PrincipalResolver resolver = getPrincipalResolverLinkedToHandlerIfAny(handler, transaction);
                                authenticateAndResolvePrincipal(builder, credential, resolver, handler);
                                final Pair<Boolean, Set<Throwable>> failures = evaluateAuthenticationPolicies(builder.build());
                                return failures.getKey();
                            } catch (final Exception e) {
                                handleAuthenticationException(e, handler.getName(), builder);
                            }
                            return false;
                        });

                if (!isSatisfied) {
                    LOGGER.error("Authentication has failed. Credentials may be incorrect or CAS cannot "
                            + "find authentication handler that supports [{}] of type [{}]. Examine the configuration to "
                            + "ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace "
                            + "the authentication event.", credential, credential.getClass().getSimpleName());
                }
                return isSatisfied;
            });

    if (!success) {
        evaluateFinalAuthentication(builder, transaction);
    }

    return builder;
}


Any one has ideas about #1 above?   When I looked at the code CasCoreAuthenticationHandlersConfiguration I see that HttpBasedServiceCredentialsAuthenticationHandler is only created here and its not a conditional bean either to override it?


@Bean
public AuthenticationHandler proxyAuthenticationHandler() {
    return new HttpBasedServiceCredentialsAuthenticationHandler(null, servicesManager,
            proxyPrincipalFactory(), Integer.MIN_VALUE,
            supportsTrustStoreSslSocketFactoryHttpClient);
}







Thanks

Mr Rao

unread,
Jan 9, 2019, 6:07:52 PM1/9/19
to CAS Community
Hi,
Anyone has ideas on disabling HttpBasedServiceCredentialsAuthenticationHandler ? Or is it safe to leave it?

Thanks,
Rao

Mr Rao

unread,
Jan 16, 2019, 8:18:54 PM1/16/19
to CAS Community
Hello,
Any one knows if we need to disable HttpBasedServiceCredentialsAuthenticationHandleror this is safe to leave it ?

Thanks
Rao

Reply all
Reply to author
Forward
0 new messages