Cas 6.3.2 services . User One loged to service1 why has he been authed to servise 2 if i use excludeAuthHandlers
26 views
Skip to first unread message
artur miś
Jul 21, 2021, 6:41:37 AM7/21/21
to CAS Community
Hello,
- 3 handlers .
- 2 services
If i have in service AA
"authenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", ["a", "b" ]],
"excludedAuthenticationHandlers" : ["java.util.TreeSet", ["c"]]
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", ["a", "b" ]],
"excludedAuthenticationHandlers" : ["java.util.TreeSet", ["c"]]
and
service BB
"authenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "a", "b", "c ]],
"excludedAuthenticationHandlers" : ["java.util.TreeSet", []]
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "a", "b", "c ]],
"excludedAuthenticationHandlers" : ["java.util.TreeSet", []]
At the beginning I tried auth to service AA (user is member of group for searchfilter handler c) - that's WORK i can't auth
excludedAuthenticationHandlers" work in perfect way . Later, I started browse https://BB as the users like before from c handler. After loging into BB service i tried acces to http://AA/login and i was suprised i received accesc granted without wrinting password again .
So
"excludedAuthenticationHandlers" no work in this case if user was already authenticated before for service BB.
How can i lock posibility auth user to service AA if he was authed to BB without switching off sso becouse i would like to have that sharing key to be work if i have user in b handler.
Sample handler a:
cas.authn.ldap[0].name=ktolet
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://fff:port
cas.authn.ldap[0].baseDn=dc=fc,dc=int
cas.authn.ldap[0].bindDn=ldap
cas.authn.ldap[0].bindCredential=vgvb
cas.authn.ldap[0].searchFilter=(&(memberOf=CN=gvSM. etc .)(sAMAccountName={user}))
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://fff:port
cas.authn.ldap[0].baseDn=dc=fc,dc=int
cas.authn.ldap[0].bindDn=ldap
cas.authn.ldap[0].bindCredential=vgvb
cas.authn.ldap[0].searchFilter=(&(memberOf=CN=gvSM. etc .)(sAMAccountName={user}))
cas.authn.ldap[0].principalAttributeId=sAMAccountName
Ray Bon
Jul 21, 2021, 12:44:29 PM7/21/21
to cas-...@apereo.org
Artur,
I think excludedAuthenticationHandlers is only for the authentication flow and not a policy for service access.
Take a look at, https://apereo.github.io/cas/6.3.x/services/Configuring-Service-Access-Strategy.html for service access policy.
Ray
On Wed, 2021-07-21 at 03:41 -0700, artur miś wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Reply all
Reply to author
Forward
0 new messages