I meant to add, our pom.xml has the following dependencies (in case we’re 
missing something):

<dependencies>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-webapp-${app.server}</artifactId>
            <version>${cas.version}</version>
            <type>war</type>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-ldap</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-saml</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            
<artifactId>cas-server-support-hazelcast-ticket-registry</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-duo</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-json-service-registry</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.javassist</groupId>
            <artifactId>javassist</artifactId>
            <version>3.17.1-GA</version>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <type>jar</type>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-core-webflow</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-core-web</artifactId>
            <version>${cas.version}</version>
            <type>jar</type>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-core-configuration</artifactId>
            <version>${cas.version}</version>
            <type>jar</type>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-core-authentication</artifactId>
            <version>${cas.version}</version>
        </dependency>
    </dependencies>


> On Feb 9, 2018, at 5:19 PM, Man H <info.ings...@gmail.com> wrote:
> 
> 
> add 
>         <dependency>
>              <groupId>org.apereo.cas</groupId>
>              <artifactId>cas-server-core-authentication</artifactId>
>              <version>${cas.version}</version>
>         </dependency>
> 
> with: 
> 
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
> 
> you should get
> 
> 2018-02-09 19:10:39,145 DEBUG 
> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] 
> - <Evaluating multifactor authentication bypass properties for principal 
> [casuser], service [null] and provider 
> [DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL 
> [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
> 
> 
> 
> 
> 
> 2018-02-09 17:11 GMT-03:00 Brian Davidson <awk.br...@gmail.com 
> <mailto:awk.br...@gmail.com>>:
> Just to add a bit to what Brian M. provided (I’m also a Brian, and a 
> co-worker of Brian M’s):
> 
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
>  <>
> 
> We did find that CAS was unable to check to see if the user exists in Duo if 
> we used the “CAS” integration in Duo.  But it works if we set up the 
> integration as “Auth API”.
> 
> We haven’t touched webflow. With the groovy script in place, 
> 
> When we enable GROOVY bypass script, we get:
> 
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to 
> handle [org.springframework.webflow.execution.FlowExecutionException: 
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root 
> cause [java.io <http://java.io/>.NotSerializableException: 
> org.springframework.core.io 
> <http://org.springframework.core.io/>.UrlResource]>
> 
> As well as the stack trace Brian M. provided.
> 
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece yesterday.  
> Dug through source code to find that.  We’re happy to provide updates to the 
> documentation once we get this working.
> 
> Thanks for the help!
> 
>> On Feb 9, 2018, at 10:14 AM, brian mancuso <snidd...@gmail.com 
>> <mailto:snidd...@gmail.com>> wrote:
>> 
>> Anything that says "REMOVED" is just stuff I pulled out before posting it. I 
>> didn't want to post any private/sensitive information.
>> 
>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>> What do you mean by REMOVED in properties . 
>> 
>> El viernes, 9 de febrero de 2018, brian mancuso <snid...@gmail.com <>> 
>> escribió:
>> Hey all,
>> 
>> I was originally trying to setup some custom triggers to determine who 
>> should use MFA and who is allowed to bypass. I have since been directed 
>> towards Groovy to simplify things, but I'm still having some trouble.
>> 
>> At this point, the Groovy script's purpose is strictly to test if a certain 
>> user will bypass MFA while others will not. Here's my setup:
>> 
>> /etc/cas/config/cas.properties
>> 
>> ##
>> # Duo security 2fa authentication provider
>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey 
>> <https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey>
>> #
>> cas.authn.mfa.duo[0].rank=0
>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>> cas.authn.mfa.duo[0].id=mfa-duo
>> cas.authn.mfa.globalProviderId=mfa-duo
>> cas.authn.mfa.globalFailureMode=OPEN
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
>> 
>> 
>> /etc/cas/selectiveDuo.groovy
>> 
>> def boolean run(final Object... args) {
>>     def authentication = args[0]
>>     def principal = args[1]
>>     def service = args[2]
>>     def provider = args[3]
>>     def logger = args[4]
>>     def httpRequest = args[5]
>>     
>>     logger.info("Evaluating principal attributes ${principal.attributes}")
>> 
>>     def bypass = principal.attributes['uid']
>>     if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
>>         logger.info("Skipping bypass for principal ${principal.id 
>> <http://principal.id/>}")
>>         return false
>>     }
>> 
>>     return true
>> }
>> 
>> 
>> When I try to login though, whenever a user would be sent to DUO, I get a 
>> 500 error:
>> 
>>  
>> <https://lh3.googleusercontent.com/-bqF7r6WYFDU/Wn2r6Zgza6I/AAAAAAAASso/CtOtDNX7IF0Y2Ua0Eb8GyWbXuYdCSbEJgCLcBGAs/s1600/Screen%2BShot%2B2018-02-09%2Bat%2B9.10.22%2BAM.png>
>> 
>> Here's a small snippet from the output:
>> 
>> 2018-02-09 09:04:05,717 DEBUG 
>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received 
>> exception due to a type mismatch>
>> org.springframework.webflow.execution.FlowExecutionException: Exception 
>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>>      at 
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.re 
>> <http://gine.impl.flowexecutionimpl.re/>sume(FlowExecutionImpl.java:263) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
>> ~[?:1.8.0_151]
>> 
>> Caused by: 
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: 
>> Error encoding flow execution
>>      at 
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
>>  ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.as 
>> <http://gine.impl.flowexecutionimpl.as/>signKey(FlowExecutionImpl.java:419) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> 
>> Caused by: java.io <http://java.io/>.NotSerializableException: 
>> org.springframework.core.io <http://org.springframework.core.io/>.UrlResource
>>      at 
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) 
>> ~[?:1.8.0_151]
>> 
>> 2018-02-09 09:04:05,717 ERROR 
>> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to 
>> error page from request [/login] due to exception [Exception thrown in state 
>> 'viewLoginFormDuo' of flow 'mfa-duo']>
>> org.springframework.webflow.execution.FlowExecutionException: Exception 
>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>>      at 
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.re 
>> <http://gine.impl.flowexecutionimpl.re/>sume(FlowExecutionImpl.java:263) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
>> ~[?:1.8.0_151]
>>      at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>  ~[?:1.8.0_151]
>>      at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>  ~[?:1.8.0_151]
>>      at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
>> 
>> Caused by: 
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: 
>> Error encoding flow execution
>>      at 
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
>>  ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.as 
>> <http://gine.impl.flowexecutionimpl.as/>signKey(FlowExecutionImpl.java:419) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:170) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at org.springframework.webflow.engine.State.enter(State.java:194) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.engine.Transition.execute(Transition.java:228) 
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>      at 
>> org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
>>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> 
>> Caused by: java.io <http://java.io/>.NotSerializableException: 
>> org.springframework.core.io <http://org.springframework.core.io/>.UrlResource
>>      at 
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) 
>> ~[?:1.8.0_151]
>>      at 
>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) 
>> ~[?:1.8.0_151]
>> 
>> 
>> I posted the output to pastebin since it was too large for just posting 
>> here: https://pastebin.com/yNPk4u7n <https://pastebin.com/yNPk4u7n>
>> 
>> -- 
>> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
>> - Gitter Chatroom: https://gitter.im/apereo/cas 
>> <https://gitter.im/apereo/cas>
>> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
>> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org <>.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org?utm_medium=email&utm_source=footer>.
>> 
>> -- 
>> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
>> - Gitter Chatroom: https://gitter.im/apereo/cas 
>> <https://gitter.im/apereo/cas>
>> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
>> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org 
>> <mailto:cas-user+unsubscr...@apereo.org>.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c5924%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c5924%40apereo.org?utm_medium=email&utm_source=footer>.
> 
> 
> -- 
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> <mailto:cas-user+unsubscr...@apereo.org>.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352CB5%40gmail.com
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352CB5%40gmail.com?utm_medium=email&utm_source=footer>.
> 
> 
> -- 
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> <mailto:cas-user+unsubscr...@apereo.org>.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5%2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5%2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4B953717-A37E-4E87-AD49-2BF69A7124C1%40gmail.com.

Reply via email to