There’s a bug in the Surrogate Authentication code. Basically when someone authenticates using Delegate Auth, the Surrogate Authentication class overwrites all Credential objects in the Spring Webflow context, rather than just the UsernamePassword Credential. This wipes out the TOTP token credential, giving rise to this error. I’ve fixed it in our local overlay, but I thought it only affected OTP/GAuth authentication. I guess it affects others. Let me see if I can extract a patch
I wanted to submit the patch to the main project, but the code submission guidelines say that patches must be submitted against the master branch (which is 6.x) and back ported to 5.x. We don’t have a working 6.x deploy going anywhere yet, so I’m unable to test patches against the 6.x code base. And many of the 6.x changes are around MFA On Jul 11, 2019, at 8:15 AM, Brent Smith <[email protected]<mailto:[email protected]>> wrote: I'm getting this same error when using mfa-simple and mfa-gauth, so it seems like it's related to multiple MFA implementations after delegated auth. Did you ever find a fix for it? -Brent On Friday, October 26, 2018 at 9:04:39 PM UTC-4, Daniel Ramos wrote: Whoops, sorry if you all received this more than once. I accidentally submitted this to the old dev mailing list. I'm trying to setup a new CAS server that delegates authentication but also uses U2F multifactor authentication. Delegated authentication works fine, but when I try to enable U2F MFA I'm getting errors: Caused by: org.thymeleaf.exceptions.TemplateProcessingException: Error during execution of processor 'org.thymeleaf.spring4.processor.SpringInputGeneralFieldTagProcessor' (template: "casU2fLoginView" - line 53, col 78) at org.thymeleaf.processor.element.AbstractAttributeTagProcessor.doProcess(AbstractAttributeTagProcessor.java:117) ~[thymeleaf-3.0.9.RELEASE.jar:3.0.9.RELEASE] {...} Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'token' cannot be found on object of type 'org.apereo.cas.authentication.principal.ClientCredential' - maybe not public or not valid? Seems to me instead of a `U2FTokenCredential` being set as the "credential" variable for the template, the Delegated Authentication related `ClientCredential` is being used. I was able to get it to work by modifying U2FAccountCheckRegistrationAction to include: WebUtils.putCredential(requestContext,new U2FTokenCredential()); I would *love* to submit a pull request to fix this but I know this isn't the correct fix. I'm not even sure if this issue is specific to U2F or all MFA after a delegated authentication. Can anyone offer suggestions on where I should look at to fix this correctly? Unfortunately I'm still new to the CAS codebase. Thank you all. - Danny -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/df12eaf0-5984-43e6-9ddc-d1367e4b2ef9%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-dev/df12eaf0-5984-43e6-9ddc-d1367e4b2ef9%40apereo.org?utm_medium=email&utm_source=footer>. Steve Hillman IT Architect | IT Services SH1032 | Simon Fraser University 8888 University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.3960 | M: 604.306.3366 | www.sfu.ca/itservices<http://www.sfu.ca/itservices> Twitter: @sfu_it -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6F885B6A-B728-4949-BCEA-156E58E299A5%40sfu.ca.
