Hello everyone,
I have succesfully configured CAS 5.2.3 to work with CAS and
Spnego/kerberos, but i was not able to restrict spnego on certain
ip/hostname.
I looked into the code and i found this class : SpengoWebflowConfigurer
with the action "evaluateClientRequest" (which is described in the
configuration here : client-selection-strategy
<https://apereo.github.io/cas/5.2.x/installation/SPNEGO-Authentication.html#client-selection-strategy>
).
I tried to set the parameter cas.authn.spnego.hostNameClientActionStrategy
to hostnameSpnegoClientAction without success so i removed it since its
default value is "hostnameSpnegoClientAction"
I have a poor understanding of spring webflow but i figured out that this
method is supposed to trigger the "evaluateClientRequest" action
(configured in getHostNameClientActionStrategy)
private void createEvaluateSpnegoClientAction(final Flow flow) {
final ActionState evaluateClientRequest = createActionState(flow,
EVALUATE_SPNEGO_CLIENT,
createEvaluateAction(casProperties.getAuthn().getSpnego().
getHostNameClientActionStrategy()));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES,
START_SPNEGO_AUTHENTICATE));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO,
getStartState(flow)));
}
However, i don't understand how CAS makes the transition toward the
EVALUATE_SPNEGO_CLIENT state, i tried looking for a transition in the code
but i could'nt find any.
So i copied this class in my overlay project and made a few changes.
First i tried this :
private void augmentWebflowToStartSpnego(final Flow flow) {
final ActionState state = getState(flow,
CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class);
createTransitionForState(state,
CasWebflowConstants.TRANSITION_ID_SUCCESS, EVALUATE_SPNEGO_CLIENT, true);
}
And it worked ok as far as the "evaluate" part goes, i could see in the log
the HostNameSpnegoKnownClientSystemsFilterAction class working to decide if
my request should be authenticated with spnego or CAS.
But then the webflow entered a loop and ended up with a stackoverflow
exception.
So i changed this :
private void createEvaluateSpnegoClientAction(final Flow flow) {
final ActionState evaluateClientRequest = createActionState(flow,
EVALUATE_SPNEGO_CLIENT,
createEvaluateAction(casProperties.getAuthn().getSpnego().getHostNameClientActionStrategy()));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_YES,
START_SPNEGO_AUTHENTICATE));
evaluateClientRequest.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_NO,
CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM));
}
And now everything is working.
My questions are :
- Since V 5.1.x the CAS documentation skip this step on webflow
configuration : spnego webflow configuration
<https://apereo.github.io/cas/5.0.x/installation/SPNEGO-Authentication.html#webflow-configuration>
(from
5.0.x), is it on purpose ? does this mean that the webflow should configure
itself regarding the client request evaluation? if so i have done something
wrong ? (i am clueless here, i have the feeling that modifying the class
SpengoWebflowConfigurer to make it work is somehow a bad practice ... )
- If what i did is right, why not make it the default behavior and set
these default values : hostNamePatternString =".+" (already the case)
and ipsToCheckPattern=".+" which would trigger Spnego authentication for
every request (if i am right) ...
Thank you for your time !
Arnaud
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b50d8a89-217b-4555-b3b8-fcf1fc3a873e%40apereo.org.
