Hey all, I was originally trying to setup some custom triggers to determine who should use MFA and who is allowed to bypass. I have since been directed towards Groovy to simplify things, but I'm still having some trouble.
At this point, the Groovy script's purpose is strictly to test if a certain user will bypass MFA while others will not. Here's my setup: */etc/cas/config/cas.properties* ## # Duo security 2fa authentication provider # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey # cas.authn.mfa.duo[0].rank=0 cas.authn.mfa.duo[0].duoApiHost=REMOVED cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED cas.authn.mfa.duo[0].duoSecretKey=REMOVED cas.authn.mfa.duo[0].duoApplicationKey=REMOVED cas.authn.mfa.duo[0].id=mfa-duo cas.authn.mfa.globalProviderId=mfa-duo cas.authn.mfa.globalFailureMode=OPEN cas.authn.mfa.duo[0].bypass.type=GROOVY cas.authn.mfa.duo[0].bypass.groovy.location=file: ///etc/cas/selectiveDuo.groovy */etc/cas/selectiveDuo.groovy* def boolean run(final Object... args) { def authentication = args[0] def principal = args[1] def service = args[2] def provider = args[3] def logger = args[4] def httpRequest = args[5] logger.info("Evaluating principal attributes ${principal.attributes}") def bypass = principal.attributes['uid'] if ((bypass.contains("testuser") && provider.id == "mfa-duo") { logger.info("Skipping bypass for principal ${principal.id}") return false } return true } When I try to login though, whenever a user would be sent to DUO, I get a 500 error: <https://lh3.googleusercontent.com/-bqF7r6WYFDU/Wn2r6Zgza6I/AAAAAAAASso/CtOtDNX7IF0Y2Ua0Eb8GyWbXuYdCSbEJgCLcBGAs/s1600/Screen%2BShot%2B2018-02-09%2Bat%2B9.10.22%2BAM.png> Here's a small snippet from the output: 2018-02-09 09:04:05,717 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception due to a type mismatch> org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] Caused by: org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: Error encoding flow execution at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114) ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] at org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] Caused by: java.io.NotSerializableException: org.springframework.core.io.UrlResource at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] 2018-02-09 09:04:05,717 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo']> org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_151] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_151] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] Caused by: org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: Error encoding flow execution at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114) ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] at org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:170) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] Caused by: java.io.NotSerializableException: org.springframework.core.io.UrlResource at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) ~[?:1.8.0_151] at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) ~[?:1.8.0_151] at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) ~[?:1.8.0_151] I posted the output to pastebin since it was too large for just posting here: https://pastebin.com/yNPk4u7n -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org.
