Hi Martin, Thanks for your response. Sadly, I think that the result of implementing a custom Authentication Handler would be the same that I have now, a redirection to CAS error page since with my current implementation I'm throwing a FailedLoginException that it is exactly the same that you're doing.
So, I think that my question is not the correct one. I guess what I need is to modify the login-webflow to define what to do when an authentication failure happens. I'll follow the guide https://apereo.github.io/2016/10/07/webflow-extcfg/ to try to do it. Regards El miércoles, 24 de enero de 2018, 3:43:27 (UTC+1), Martin Bohun escribió: > > Hello Oscar, > > This is an example of one possible solution: > Our cas project (based on cas-4.0.x), uses Delegated Authentication > (Facebook/Google/Twitter) to perform "one click" SignUp/SignIn. > We use a custom auth handler that uses the attributes (email, first_name, > surname) returned by Facebook/Google/Twitter to either: > a) SignIn user if user with that email exist in the system already, OR > b) SignUp create the user in our system, and proceed to SignIn > > So at that point in the code where we are receiving/processing the email > address returned by Facebook/Google/Twitter: > > https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121 > > one could do the type of filtering you want: > a) hardcode it there > b) externalize the email validation/check regexp into some > properties/config file so > c) fast/phugly/hack do the filtering in your LDAP, SQL query, > etc. > > regards, > > martin > > On Wednesday, January 24, 2018 at 2:10:34 AM UTC+11, Oscar del Pozo wrote: >> >> Hi! >> >> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but >> I'm facing a problem with the Google OAuth authentication. >> >> I have configured a delegate authentication to Google with pac4j >> successfully but I need to make a modification, only allow the emails which >> end with *@companyname.com <http://companyname.com> *(I do agree that >> this kind of things should not be done at CAS because this is about >> authorization and not authentication, but I have to) >> >> I have added a new AuthorizationGenerator to the Google2Client instance >> so, after the retrieve the user profile with the *Google2ProfileDefinition >> *class, I make my validation and in case that the user email is not a >> valid one, I set the profile identifier no blank. The blank >> identifier causes a *FailedLoginException *at >> *AbstractPac4jAuthenticationHandler.* >> >> Everything seems to work fine but finally, I get the following exception >> and the CAS error page is shown. >> >> >> 2018-01-23 15:58:48,581 DEBUG >>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <add >>> access_token: ya29.Glx....... to profile> >>> 2018-01-23 15:58:48,581 DEBUG >>> [org.pac4j.oauth.profile.google2.Google2Profile] - <adding => key: >>> access_token / value:XXX-XXX / class java.lang.String> >>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - >>> <profile: #Google2Profile# | id: 112368488543222222114 | attributes: >>> {name.familyName=del Pozo, >>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], >>> access_token=..., gender=MALE, displayName=Oscar del Pozo, >>> name.givenName=Oscar, ... |> >>> 2018-01-23 15:58:49,599 WARN >>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] >>> - <Invalid user email> >>> 2018-01-23 15:58:49,599 DEBUG >>> [org.pac4j.oauth.profile.google2.Google2Profile] >>> - <identifier: > >>> 2018-01-23 15:58:51,789 ERROR >>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>> <Authentication has failed. Credentials may be incorrect or CAS cannot find >>> authentication handler that supports >>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >>> >>> of type [ClientCredential].> >>> 2018-01-23 15:58:53,216 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: null >>> WHAT: Supplied credentials: >>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >>> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the >>> authentication has actually failed: >>> https://github.com/apereo/inspektr/pull/10) >>> APPLICATION: CAS >>> WHEN: Tue Jan 23 15:58:53 CET 2018 >>> CLIENT IP ADDRESS: 192.168.56.1 >>> SERVER IP ADDRESS: 192.168.56.1 >>> ============================================================= >>> > >>> 2018-01-23 15:58:53,247 ERROR >>> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to >>> error page from request [/login] due to exception [Exception thrown >>> executing >>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e >>> >>> in state 'clientAction' of flow 'login' -- action execution attributes were >>> 'map[[empty]]']> >> >> at >>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>> [...] >>> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 >>> errors, 0 successes >>> at >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >>> >>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >>> at >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >>> >>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >>> at >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >>> >>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >> >> >> >> Is my approach correct?. Is it possible to do not show this CAS error and >> go to the 403 view? >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/23c43dbf-2659-4a55-bdbc-0465db57134a%40apereo.org.
