Hey all, I was originally trying to setup some custom triggers to determine who should use MFA and who is allowed to bypass. I have since been directed towards Groovy to simplify things, but I'm still having some trouble.
At this point, the Groovy script's purpose is strictly to test if a certain user will bypass MFA while others will not. Here's my setup: */etc/cas/config/cas.properties* ## # Duo security 2fa authentication provider # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey # cas.authn.mfa.duo[0].rank=0 cas.authn.mfa.duo[0].duoApiHost=REMOVED cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED cas.authn.mfa.duo[0].duoSecretKey=REMOVED cas.authn.mfa.duo[0].duoApplicationKey=REMOVED cas.authn.mfa.duo[0].id=mfa-duo cas.authn.mfa.globalProviderId=mfa-duo cas.authn.mfa.globalFailureMode=OPEN cas.authn.mfa.duo[0].bypass.type=GROOVY cas.authn.mfa.duo[0].bypass.groovy.location=file: ///etc/cas/selectiveDuo.groovy */etc/cas/selectiveDuo.groovy* def boolean run(final Object... args) { def authentication = args[0] def principal = args[1] def service = args[2] def provider = args[3] def logger = args[4] def httpRequest = args[5] logger.info("Evaluating principal attributes ${principal.attributes}") def bypass = principal.attributes['uid'] if ((bypass.contains("testuser") && provider.id == "mfa-duo") { logger.info("Skipping bypass for principal ${principal.id}") return false } return true } When I try to login though, whenever a user would be sent to DUO, I get a 500 error: <https://lh3.googleusercontent.com/-bqF7r6WYFDU/Wn2r6Zgza6I/AAAAAAAASso/CtOtDNX7IF0Y2Ua0Eb8GyWbXuYdCSbEJgCLcBGAs/s1600/Screen%2BShot%2B2018-02-09%2Bat%2B9.10.22%2BAM.png> Here's a small snippet from the output: 2018-02-09 09:04:05,717 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception due to a type mismatch> org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] Caused by: org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: Error encoding flow execution at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114) ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] at org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] Caused by: java.io.NotSerializableException: org.springframework.core.io.UrlResource at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] 2018-02-09 09:04:05,717 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo']> org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_151] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_151] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] Caused by: org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: Error encoding flow execution at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114) ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] at org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:170) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] Caused by: java.io.NotSerializableException: org.springframework.core.io.UrlResource at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) ~[?:1.8.0_151] I posted the output to pastebin since it was too large for just posting here: https://pastebin.com/yNPk4u7n -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org.
