CAS 7.04 trying to login on cas-management
166 views
Skip to first unread message
Tom Reijnders
May 9, 2024, 12:17:41 AM5/9/24
to CAS Community
I've setup CAS 7.04 and I am trying to login to cas-management.
After login (password is correctly resolved, user is resolved, service is recognised) I am returning to the login screen.
The error is:
WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <Cannot invoke "java.util.Set.isEmpty()" because the return value of "org.apereo.cas.services.RegisteredServiceMultifactorPolicy.getMultifactorAuthenticationProviders()" is null>
But why is getMultifactorAuthenticationProviders called at all? Is that a new default in 7.04?
What do you need to help me debug this?
Below is the cas.properties file:
cas.server.name=https://cas.xxxx.xx
cas.server.prefix=${cas.server.name}/cas
CasFeatureModule.AccountManagement.enabled=true
cas.locale.default-value=nl
server.port=8081
server.ssl.enabled=false
cas.server.tomcat.http-proxy.enabled=true
cas.server.tomcat.http-proxy.secure=true
cas.server.tomcat.http-proxy.scheme=https
logging.config=file:/etc/cas/config/log4j2.xml
# Spring security settings
spring.security.user.name=casuser
spring.security.user.password=xxxx
# Authentication
cas.authn.accept.users=
cas.authn.jdbc.query[0].driver-class=org.mariadb.jdbc.Driver
cas.authn.jdbc.query[0].url=jdbc:mariadb://localhost:3306/cas?UseSSL=false
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MariaDBDialect
cas.authn.jdbc.query[0].user=cas
cas.authn.jdbc.query[0].password=xxxx
cas.authn.jdbc.query[0].sql=SELECT * FROM users WHERE login = ?
cas.authn.jdbc.query[0].password-encoder.type=SSHA
cas.authn.jdbc.query[0].password-encoder.character-encoding=UTF-8
cas.authn.jdbc.query[0].password-encoder.encoding-algorithm=SHA-256
cas.authn.jdbc.query[0].field-password=password
cas.authn.jdbc.query[0].field-expired=expired
cas.authn.jdbc.query[0].field-disabled=disabled
cas.authn.jdbc.query[0].principal-attribute-list=login,email,firstname,lastname,role
cas.authn.jdbc.query[1].driver-class=org.mariadb.jdbc.Driver
cas.authn.jdbc.query[1].url=jdbc:mariadb://localhost:3306/cas?UseSSL=false
cas.authn.jdbc.query[1].dialect=org.hibernate.dialect.MariaDBDialect
cas.authn.jdbc.query[1].user=cas
cas.authn.jdbc.query[1].password=xxxx
cas.authn.jdbc.query[1].sql=SELECT * FROM users WHERE email = ?
cas.authn.jdbc.query[1].password-encoder.type=SSHA
cas.authn.jdbc.query[1].password-encoder.character-encoding=UTF-8
cas.authn.jdbc.query[1].password-encoder.encoding-algorithm=SHA-256
cas.authn.jdbc.query[1].field-password=password
cas.authn.jdbc.query[1].field-expired=expired
cas.authn.jdbc.query[1].field-disabled=disabled
cas.authn.jdbc.query[1].principal-attribute-list=login,email,firstname,lastname,role
cas.jdbc.show-sql=true
# JSON Configuration 2cwof services
cas.serviceRegistry.json.location: file:/etc/cas/services
# OAuth
cas.authn.oauth.crypto.encryption.key=xxxx
cas.authn.oauth.crypto.signing.key=xxxx
cas.authn.oauth.access-token.crypto.encryption.key=xxxx
cas.authn.oauth.access-token.crypto.signing.key=xxxx
# Tickets
cas.tgc.crypto.encryption.key=xxxx
cas.tgc.crypto.signing.key=xxxx
# Consent
cas.consent.core.crypto.encryption.key=xxxx
cas.consent.core.crypto.signing.key=xxxx
# Password Management
cas.webflow.crypto.signing.key=xxxx
cas.webflow.crypto.encryption.key=xxxx
cas.authn.pm.reset.crypto.encryption.key=xxxx
cas.authn.pm.reset.crypto.signing.key=xxxx
cas.authn.pm.forgot-username.enabled=false
cas.server.prefix=${cas.server.name}/cas
CasFeatureModule.AccountManagement.enabled=true
cas.locale.default-value=nl
server.port=8081
server.ssl.enabled=false
cas.server.tomcat.http-proxy.enabled=true
cas.server.tomcat.http-proxy.secure=true
cas.server.tomcat.http-proxy.scheme=https
logging.config=file:/etc/cas/config/log4j2.xml
# Spring security settings
spring.security.user.name=casuser
spring.security.user.password=xxxx
# Authentication
cas.authn.accept.users=
cas.authn.jdbc.query[0].driver-class=org.mariadb.jdbc.Driver
cas.authn.jdbc.query[0].url=jdbc:mariadb://localhost:3306/cas?UseSSL=false
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MariaDBDialect
cas.authn.jdbc.query[0].user=cas
cas.authn.jdbc.query[0].password=xxxx
cas.authn.jdbc.query[0].sql=SELECT * FROM users WHERE login = ?
cas.authn.jdbc.query[0].password-encoder.type=SSHA
cas.authn.jdbc.query[0].password-encoder.character-encoding=UTF-8
cas.authn.jdbc.query[0].password-encoder.encoding-algorithm=SHA-256
cas.authn.jdbc.query[0].field-password=password
cas.authn.jdbc.query[0].field-expired=expired
cas.authn.jdbc.query[0].field-disabled=disabled
cas.authn.jdbc.query[0].principal-attribute-list=login,email,firstname,lastname,role
cas.authn.jdbc.query[1].driver-class=org.mariadb.jdbc.Driver
cas.authn.jdbc.query[1].url=jdbc:mariadb://localhost:3306/cas?UseSSL=false
cas.authn.jdbc.query[1].dialect=org.hibernate.dialect.MariaDBDialect
cas.authn.jdbc.query[1].user=cas
cas.authn.jdbc.query[1].password=xxxx
cas.authn.jdbc.query[1].sql=SELECT * FROM users WHERE email = ?
cas.authn.jdbc.query[1].password-encoder.type=SSHA
cas.authn.jdbc.query[1].password-encoder.character-encoding=UTF-8
cas.authn.jdbc.query[1].password-encoder.encoding-algorithm=SHA-256
cas.authn.jdbc.query[1].field-password=password
cas.authn.jdbc.query[1].field-expired=expired
cas.authn.jdbc.query[1].field-disabled=disabled
cas.authn.jdbc.query[1].principal-attribute-list=login,email,firstname,lastname,role
cas.jdbc.show-sql=true
# JSON Configuration 2cwof services
cas.serviceRegistry.json.location: file:/etc/cas/services
# OAuth
cas.authn.oauth.crypto.encryption.key=xxxx
cas.authn.oauth.crypto.signing.key=xxxx
cas.authn.oauth.access-token.crypto.encryption.key=xxxx
cas.authn.oauth.access-token.crypto.signing.key=xxxx
# Tickets
cas.tgc.crypto.encryption.key=xxxx
cas.tgc.crypto.signing.key=xxxx
# Consent
cas.consent.core.crypto.encryption.key=xxxx
cas.consent.core.crypto.signing.key=xxxx
# Password Management
cas.webflow.crypto.signing.key=xxxx
cas.webflow.crypto.encryption.key=xxxx
cas.authn.pm.reset.crypto.encryption.key=xxxx
cas.authn.pm.reset.crypto.signing.key=xxxx
cas.authn.pm.forgot-username.enabled=false
# Enable PM module and Password History
cas.authn.pm.core.enabled=true
cas.authn.pm.history.core.enabled=true
# Enable Questions and Answers for PM
cas.authn.pm.reset.security-questions-enabled=false
# Password Management Database Connection Info
cas.authn.pm.jdbc.user=cas
cas.authn.pm.jdbc.password=xxxx
cas.authn.pm.jdbc.driver-class=org.mariadb.jdbc.Driver
cas.authn.pm.jdbc.dialect=org.hibernate.dialect.MariaDBDialect
cas.authn.pm.jdbc.url=jdbc:mariadb://localhost:3306/cas?UseSSL=false
cas.authn.pm.jdbc.password-encoder.type=SSHA
# Queries Needed to Support PM functionality
cas.authn.pm.jdbc.sql-get-security-questions=SELECT question, answer FROM questions WHERE login=?
cas.authn.pm.jdbc.sql-find-email=SELECT email FROM users WHERE login=?
# cas.authn.pm.jdbc.sql-find-phone=SELECT phone FROM users WHERE login=?
cas.authn.pm.jdbc.sql-find-user=SELECT login FROM users WHERE email=?
cas.authn.pm.jdbc.sql-change-password=UPDATE users SET password=?, expired=0 WHERE login=?
# Password Requirements Policy
# Minimum 8 and Maximum 10 characters at least 1 Uppercase Alphabet, 1 Lowercase Alphabet, 1 Number and 1 Special Character
cas.authn.pm.core.password-policy-pattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$@$!%*?&\\-+=_])[A-Za-z\\d$@$!%*?&\\-+=_]{8,10}
# SMTP Settings
spring.mail.host=localhost
spring.mail.port=25
spring.mail.username=
spring.mail.password=
spring.mail.properties.mail.smtp.auth=false
# Password Reset Email Info
cas.authn.pm.reset.mail.from=C...@xxxx.xx
cas.authn.pm.reset.mail.subject=Change password
cas.authn.pm.reset.mail.reply-to=C...@xxxx.xx
cas.authn.pm.reset.mail.html=true
cas.authn.pm.reset.mail.attribute-name=email
cas.authn.pm.reset.expiration=PT15M
cas.authn.pm.core.enabled=true
cas.authn.pm.history.core.enabled=true
# Enable Questions and Answers for PM
cas.authn.pm.reset.security-questions-enabled=false
# Password Management Database Connection Info
cas.authn.pm.jdbc.user=cas
cas.authn.pm.jdbc.password=xxxx
cas.authn.pm.jdbc.driver-class=org.mariadb.jdbc.Driver
cas.authn.pm.jdbc.dialect=org.hibernate.dialect.MariaDBDialect
cas.authn.pm.jdbc.url=jdbc:mariadb://localhost:3306/cas?UseSSL=false
cas.authn.pm.jdbc.password-encoder.type=SSHA
# Queries Needed to Support PM functionality
cas.authn.pm.jdbc.sql-get-security-questions=SELECT question, answer FROM questions WHERE login=?
cas.authn.pm.jdbc.sql-find-email=SELECT email FROM users WHERE login=?
# cas.authn.pm.jdbc.sql-find-phone=SELECT phone FROM users WHERE login=?
cas.authn.pm.jdbc.sql-find-user=SELECT login FROM users WHERE email=?
cas.authn.pm.jdbc.sql-change-password=UPDATE users SET password=?, expired=0 WHERE login=?
# Password Requirements Policy
# Minimum 8 and Maximum 10 characters at least 1 Uppercase Alphabet, 1 Lowercase Alphabet, 1 Number and 1 Special Character
cas.authn.pm.core.password-policy-pattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$@$!%*?&\\-+=_])[A-Za-z\\d$@$!%*?&\\-+=_]{8,10}
# SMTP Settings
spring.mail.host=localhost
spring.mail.port=25
spring.mail.username=
spring.mail.password=
spring.mail.properties.mail.smtp.auth=false
# Password Reset Email Info
cas.authn.pm.reset.mail.from=C...@xxxx.xx
cas.authn.pm.reset.mail.subject=Change password
cas.authn.pm.reset.mail.reply-to=C...@xxxx.xx
cas.authn.pm.reset.mail.html=true
cas.authn.pm.reset.mail.attribute-name=email
cas.authn.pm.reset.expiration=PT15M
The follpowing dependencies are configured in the overlay:
implementation "org.apereo.cas:cas-server-support-audit-jdbc"
implementation "org.apereo.cas:cas-server-support-consent-webflow"
implementation "org.apereo.cas:cas-server-support-consent-jdbc"
implementation "org.apereo.cas:cas-server-support-jdbc"
implementation "org.apereo.cas:cas-server-support-oidc"
implementation "org.apereo.cas:cas-server-support-pm-webflow"
implementation "org.apereo.cas:cas-server-support-pm-jdbc"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
implementation "org.apereo.cas:cas-server-support-jdbc-drivers"
testImplementation "org.springframework.boot:spring-boot-starter-test"
implementation "org.apereo.cas:cas-server-support-consent-webflow"
implementation "org.apereo.cas:cas-server-support-consent-jdbc"
implementation "org.apereo.cas:cas-server-support-jdbc"
implementation "org.apereo.cas:cas-server-support-oidc"
implementation "org.apereo.cas:cas-server-support-pm-webflow"
implementation "org.apereo.cas:cas-server-support-pm-jdbc"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
implementation "org.apereo.cas:cas-server-support-jdbc-drivers"
testImplementation "org.springframework.boot:spring-boot-starter-test"
Any hint is appreciated.
Cheers,
Tom Reijnders
Ray Bon
May 9, 2024, 12:16:01 PM5/9/24
to cas-...@apereo.org
Tom,
Does your service definition for cas-management include an MFA reference?
Ray
On Wed, 2024-05-08 at 13:10 -0700, Tom Reijnders wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Tom Reijnders
May 9, 2024, 1:11:02 PM5/9/24
to CAS Community
Hi Ray,
{
@class: org.apereo.cas.services.CasRegisteredService
serviceId: ^https://cas.dlearning.nl/cas-management.*
name: CAS Management
id: 1001
description: Management of CAS enabled services
expirationPolicy: null
evaluationOrder: 5
environments: null
logoutUrl: https://cas.dlearning.nl/cas-management/logout
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
allowedProviders: null
}
}
authenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy
criteria:
{
@class: org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria
}
}
contacts:
[
java.util.ArrayList
[
{
@class: org.apereo.cas.services.DefaultRegisteredServiceContact
name: Tom Reijnders
email: tom.re...@dlearning.nl
phone: 0851308364
department: IT
}
]
]
singleSignOnParticipationPolicy:
{
@class: org.apereo.cas.services.ChainingRegisteredServiceSingleSignOnParticipationPolicy
}
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders: null
}
}
@class: org.apereo.cas.services.CasRegisteredService
serviceId: ^https://cas.dlearning.nl/cas-management.*
name: CAS Management
id: 1001
description: Management of CAS enabled services
expirationPolicy: null
evaluationOrder: 5
environments: null
logoutUrl: https://cas.dlearning.nl/cas-management/logout
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
allowedProviders: null
}
}
authenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy
criteria:
{
@class: org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria
}
}
contacts:
[
java.util.ArrayList
[
{
@class: org.apereo.cas.services.DefaultRegisteredServiceContact
name: Tom Reijnders
email: tom.re...@dlearning.nl
phone: 0851308364
department: IT
}
]
]
singleSignOnParticipationPolicy:
{
@class: org.apereo.cas.services.ChainingRegisteredServiceSingleSignOnParticipationPolicy
}
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders: null
}
}
If I leave out the bold section, something else is happening (which is good). It still does not work as expected (I get a too many redirections error). But at least I can experiment further.
Thanks Ray!
Cheers,
Tom
Reply all
Reply to author
Forward
0 new messages