Hi Francis, *Modify the webflow by adding a new > TransitionExecutingFlowExecutionExceptionHandler or adding a > new TransitionSet catching the error into *clientAction*.*
That's exactly what I have done right now and it's working. Thanks for your answer! El jueves, 25 de enero de 2018, 10:57:30 (UTC+1), Francis escribió: > > The error 'map[[empty]]'] comes from the fact that the webflow from pac4j > doesn't catch correctly the error sent by ' > *AbstractPac4jAuthenticationHandler'. * > > *From my point of view the solution would be to modify the webflow in > order to "accept" your exception and to redirect to a new action you have > defined.* > > *2 solutions, you can override > **org.apereo.cas.web.flow.Pac4jWebflowConfigurer > (faster) or extend the webflow via a new own configuration (nicer).* > *Modify the webflow by adding a new > TransitionExecutingFlowExecutionExceptionHandler or adding a > new TransitionSet catching the error into *clientAction*.* > > *See some example > from org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer* > > *See as well https://github.com/apereo/cas/pull/3138 > <https://github.com/apereo/cas/pull/3138> that shows how the webflow can be > modify in the case of pac4j* > > On Tuesday, January 23, 2018 at 4:10:34 PM UTC+1, Oscar del Pozo wrote: >> >> Hi! >> >> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but >> I'm facing a problem with the Google OAuth authentication. >> >> I have configured a delegate authentication to Google with pac4j >> successfully but I need to make a modification, only allow the emails which >> end with *@companyname.com <http://companyname.com> *(I do agree that >> this kind of things should not be done at CAS because this is about >> authorization and not authentication, but I have to) >> >> I have added a new AuthorizationGenerator to the Google2Client instance >> so, after the retrieve the user profile with the *Google2ProfileDefinition >> *class, I make my validation and in case that the user email is not a >> valid one, I set the profile identifier no blank. The blank >> identifier causes a *FailedLoginException *at >> *AbstractPac4jAuthenticationHandler.* >> >> Everything seems to work fine but finally, I get the following exception >> and the CAS error page is shown. >> >> >> 2018-01-23 15:58:48,581 DEBUG >>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <add >>> access_token: ya29.Glx....... to profile> >>> 2018-01-23 15:58:48,581 DEBUG >>> [org.pac4j.oauth.profile.google2.Google2Profile] - <adding => key: >>> access_token / value:XXX-XXX / class java.lang.String> >>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - >>> <profile: #Google2Profile# | id: 112368488543222222114 | attributes: >>> {name.familyName=del Pozo, >>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], >>> access_token=..., gender=MALE, displayName=Oscar del Pozo, >>> name.givenName=Oscar, ... |> >>> 2018-01-23 15:58:49,599 WARN >>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] >>> - <Invalid user email> >>> 2018-01-23 15:58:49,599 DEBUG >>> [org.pac4j.oauth.profile.google2.Google2Profile] >>> - <identifier: > >>> 2018-01-23 15:58:51,789 ERROR >>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>> <Authentication has failed. Credentials may be incorrect or CAS cannot find >>> authentication handler that supports >>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >>> >>> of type [ClientCredential].> >>> 2018-01-23 15:58:53,216 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: null >>> WHAT: Supplied credentials: >>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >>> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the >>> authentication has actually failed: >>> https://github.com/apereo/inspektr/pull/10) >>> APPLICATION: CAS >>> WHEN: Tue Jan 23 15:58:53 CET 2018 >>> CLIENT IP ADDRESS: 192.168.56.1 >>> SERVER IP ADDRESS: 192.168.56.1 >>> ============================================================= >>> > >>> 2018-01-23 15:58:53,247 ERROR >>> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to >>> error page from request [/login] due to exception [Exception thrown >>> executing >>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e >>> >>> in state 'clientAction' of flow 'login' -- action execution attributes were >>> 'map[[empty]]']> >> >> at >>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>> at >>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>> >>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>> [...] >>> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 >>> errors, 0 successes >>> at >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >>> >>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >>> at >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >>> >>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >>> at >>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >>> >>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >> >> >> >> Is my approach correct?. Is it possible to do not show this CAS error and >> go to the 403 view? >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb5cd107-5aed-4e97-a41d-81678cc0ed77%40apereo.org.
