Hello everyone, I have succesfully configured CAS 5.2.3 to work with CAS and Spnego/kerberos, but i was not able to restrict spnego on certain ip/hostname. I looked into the code and i found this class : SpengoWebflowConfigurer with the action "evaluateClientRequest" (which is described in the configuration here : client-selection-strategy <https://apereo.github.io/cas/5.2.x/installation/SPNEGO-Authentication.html#client-selection-strategy> ). I tried to set the parameter cas.authn.spnego.hostNameClientActionStrategy to hostnameSpnegoClientAction without success so i removed it since its default value is "hostnameSpnegoClientAction"
I have a poor understanding of spring webflow but i figured out that this method is supposed to trigger the "evaluateClientRequest" action (configured in getHostNameClientActionStrategy) private void createEvaluateSpnegoClientAction(final Flow flow) { final ActionState evaluateClientRequest = createActionState(flow, EVALUATE_SPNEGO_CLIENT, createEvaluateAction(casProperties.getAuthn().getSpnego(). getHostNameClientActionStrategy())); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES, START_SPNEGO_AUTHENTICATE)); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO, getStartState(flow))); } However, i don't understand how CAS makes the transition toward the EVALUATE_SPNEGO_CLIENT state, i tried looking for a transition in the code but i could'nt find any. So i copied this class in my overlay project and made a few changes. First i tried this : private void augmentWebflowToStartSpnego(final Flow flow) { final ActionState state = getState(flow, CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class); createTransitionForState(state, CasWebflowConstants.TRANSITION_ID_SUCCESS, EVALUATE_SPNEGO_CLIENT, true); } And it worked ok as far as the "evaluate" part goes, i could see in the log the HostNameSpnegoKnownClientSystemsFilterAction class working to decide if my request should be authenticated with spnego or CAS. But then the webflow entered a loop and ended up with a stackoverflow exception. So i changed this : private void createEvaluateSpnegoClientAction(final Flow flow) { final ActionState evaluateClientRequest = createActionState(flow, EVALUATE_SPNEGO_CLIENT, createEvaluateAction(casProperties.getAuthn().getSpnego().getHostNameClientActionStrategy())); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES, START_SPNEGO_AUTHENTICATE)); evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO, CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM)); } And now everything is working. My questions are : - Since V 5.1.x the CAS documentation skip this step on webflow configuration : spnego webflow configuration <https://apereo.github.io/cas/5.0.x/installation/SPNEGO-Authentication.html#webflow-configuration> (from 5.0.x), is it on purpose ? does this mean that the webflow should configure itself regarding the client request evaluation? if so i have done something wrong ? (i am clueless here, i have the feeling that modifying the class SpengoWebflowConfigurer to make it work is somehow a bad practice ... ) - If what i did is right, why not make it the default behavior and set these default values : hostNamePatternString =".+" (already the case) and ipsToCheckPattern=".+" which would trigger Spnego authentication for every request (if i am right) ... Thank you for your time ! Arnaud -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b50d8a89-217b-4555-b3b8-fcf1fc3a873e%40apereo.org.