Hi,
After spending several hours of trial&error, reading documentation and
googling around my last resort is to ask for help in this mail list.
I need to do proxy authentication, but as the CAS cannot directly access
the application(s), I wanted to include the proxy granting ticket in the
validation response as described here:
https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html
The endpoint called is /p3/serviceValidate
The service config is:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://ckoewiki.dev.mydomain.com/bin/view";,
"name" : "CKOE wiki",
"id" : 2,
"description" : "Only ckoe wiki auth with proxy",
"evaluationOrder" : 2,
"proxyPolicy" : {
"@class" :
"org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
},
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseProxyGrantingTicket" : true
},
"publicKey" : {
"@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
"location" : "file:/etc/cas/ubxnet.key",
"algorithm" : "RSA"
}
}
The response to the call I get is:
'cas:serviceResponse' => [
{
'cas:authenticationSuccess' => [
{
'cas:attributes' => [
{
'cas:successfulAuthenticationHandlers' => [
'LdapAuthenticationHandler'
],
'cas:authenticationMethod' => [
'LdapAuthenticationHandler'
],
'cas:authenticationDate' => [
'2018-03-09T16:49:17.305Z[UTC]'
],
'cas:isFromNewLogin' => [
'true'
],
'cas:longTermAuthenticationRequestTokenUsed' => [
'false'
],
'cas:credentialType' => [
'RememberMeUsernamePasswordCredential'
]
}
],
'cas:user' => [
'ckoe'
]
}
]
}
]
}
Debug output of the service validation call is:
2018-03-09 17:31:17,821 DEBUG
[org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] -
<Request does not specify a [TARGET] or request body is empty>
2018-03-09 17:31:17,821 DEBUG
[org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@76db9e65[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]]
based on
[org.apereo.cas.authentication.principal.WebApplicationServiceFactory@d4ecdb0[]]>
2018-03-09 17:31:17,821 DEBUG
[org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor
generated service type
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]
for: [https://ckoewiki.dev.mydomain.com/bin/view]>
2018-03-09 17:31:17,821 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Creating new transaction with name
[org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]:
PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-09 17:31:17,822 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Creating new transaction with name
[org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]:
PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-09 17:31:17,822 DEBUG
[org.apereo.cas.AbstractCentralAuthenticationService] - <Attempting to
decode service ticket [ST-3-RDJ-XXX] to verify authenticity>
2018-03-09 17:31:17,822 DEBUG
[org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] -
<Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,822 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received
expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,823 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located
expiration policy
[org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name
[DEFAULT]>
2018-03-09 17:31:17,823 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] -
<Activating expiration policy
[org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket
[TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,823 DEBUG
[org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] -
<Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,823 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received
expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,824 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located
expiration policy
[org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name
[DEFAULT]>
2018-03-09 17:31:17,824 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] -
<Activating expiration policy
[org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket
[TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,824 DEBUG
[org.apereo.cas.ticket.support.RememberMeDelegatingExpirationPolicy] -
<Ticket is not associated with a remember-me authentication.>
2018-03-09 17:31:17,824 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Received
expiration policy name [DEFAULT] to activate>
2018-03-09 17:31:17,824 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] - <Located
expiration policy
[org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] by name
[DEFAULT]>
2018-03-09 17:31:17,824 DEBUG
[org.apereo.cas.ticket.support.BaseDelegatingExpirationPolicy] -
<Activating expiration policy
[org.apereo.cas.ticket.support.TimeoutExpirationPolicy@72f5] for ticket
[TGT-**T-3-sudJs8-KA1EN-ziRQDwl75zbzhqFSel1hXAwZVqsEP2uNwNxgDO1Gjd9gPH-X-SHlBU-d3b1dff9cf2f]>
2018-03-09 17:31:17,825 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Resolved service
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]
from the authentication request>
2018-03-09 17:31:17,825 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Located registered
service definition [id=2,name=CKOE wiki,description=Only ckoe wiki auth
with
proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]
from
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]
to handle validation request>
2018-03-09 17:31:17,825 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Attribute policy
[org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]]]
is associated with service [id=2,name=CKOE wiki,description=Only ckoe wiki
auth with
proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]>
2018-03-09 17:31:17,826 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [christian.koehn]
accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by
registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,826 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [christian.koehn]>
2018-03-09 17:31:17,826 DEBUG
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
- <[DefaultPrincipalAttributesRepository] will return the collection of
attributes directly associated with the principal object which are
[{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500],
givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn],
ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn],
uidNumber=[10024]}]>
2018-03-09 17:31:17,826 DEBUG
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
- <Found [12] cached attributes for principal [christian.koehn] that are
[{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500],
givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn],
ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn],
uidNumber=[10024]}]>
2018-03-09 17:31:17,826 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{cn=[Christian Koehn], displayName=[Christian
Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx],
ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449],
uid=[christian.koehn], uidNumber=[10024]}] for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process
attributes for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of
[{}] for [christian.koehn]>
2018-03-09 17:31:17,827 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
2018-03-09 17:31:17,827 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
2018-03-09 17:31:17,828 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if
any>
2018-03-09 17:31:17,828 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
2018-03-09 17:31:17,828 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
2018-03-09 17:31:17,828 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding default attributes first to the released set of attributes>
2018-03-09 17:31:17,828 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
2018-03-09 17:31:17,829 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [christian.koehn]
accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by
registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,829 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{}]>
2018-03-09 17:31:17,829 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Calculated
attributes for release per the release policy are [[]]>
2018-03-09 17:31:17,829 DEBUG
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
- <Original principal attributes available for selection of username
attribute [uid] are [{cn=[Christian Koehn], displayName=[Christian Koehn],
GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx],
ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449],
uid=[christian.koehn], uidNumber=[10024]}].>
2018-03-09 17:31:17,829 DEBUG
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
- <Located service [id=2,name=CKOE wiki,description=Only ckoe wiki auth
with
proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]
in the registry. Attempting to resolve attributes for [christian.koehn]>
2018-03-09 17:31:17,830 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [christian.koehn]
accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by
registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,830 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [christian.koehn]>
2018-03-09 17:31:17,830 DEBUG
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
- <[DefaultPrincipalAttributesRepository] will return the collection of
attributes directly associated with the principal object which are
[{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500],
givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn],
ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn],
uidNumber=[10024]}]>
2018-03-09 17:31:17,830 DEBUG
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
- <Found [12] cached attributes for principal [christian.koehn] that are
[{cn=[Christian Koehn], displayName=[Christian Koehn], GidNumber=[500],
givenName=[Christian], l=[Thalwil], mail=[xxx], ou=[it-svc], sn=[Koehn],
ubxacronym=[ckoe], ubxtelext=[449], uid=[christian.koehn],
uidNumber=[10024]}]>
2018-03-09 17:31:17,831 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{cn=[Christian Koehn], displayName=[Christian
Koehn], GidNumber=[500], givenName=[Christian], l=[Thalwil], mail=[xxx],
ou=[it-svc], sn=[Koehn], ubxacronym=[ckoe], ubxtelext=[449],
uid=[christian.koehn], uidNumber=[10024]}] for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process
attributes for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of
[{}] for [christian.koehn]>
2018-03-09 17:31:17,831 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
2018-03-09 17:31:17,832 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
2018-03-09 17:31:17,832 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if
any>
2018-03-09 17:31:17,832 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
2018-03-09 17:31:17,833 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
2018-03-09 17:31:17,833 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding default attributes first to the released set of attributes>
2018-03-09 17:31:17,833 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
2018-03-09 17:31:17,833 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [christian.koehn]
accessing service [https://ckoewiki.dev.mydomain.com/bin/view] defined by
registered service [https://ckoewiki.dev.mydomain.com/bin/view]...>
2018-03-09 17:31:17,833 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{}]>
2018-03-09 17:31:17,833 DEBUG
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
- <Attributes resolved by the release policy available for selection of
username attribute [uid] are [{}].>
2018-03-09 17:31:17,834 DEBUG
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
- <The selected username attribute [uid] was retrieved as a direct
principal attribute and not through the attribute release policy for
service
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]].
CAS is unable to detect new attribute values for [uid] after authentication
unless the attribute is explicitly authorized for release via the service
attribute release policy.>
2018-03-09 17:31:17,834 DEBUG
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
- <Principal id to return for [https://ckoewiki.dev.mydomain.com/bin/view]
is [christian.koehn]. The default principal id is [christian.koehn].>
2018-03-09 17:31:17,834 DEBUG
[org.apereo.cas.services.BaseRegisteredServiceUsernameAttributeProvider] -
<Resolved username for [https://ckoewiki.dev.mydomain.com/bin/view] is
[christian.koehn]>
2018-03-09 17:31:17,834 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Principal
determined for release to [https://ckoewiki.dev.mydomain.com/bin/view] is
[christian.koehn]>
2018-03-09 17:31:17,835 DEBUG
[org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] -
<Skipping access strategy policy, since no attributes rules are defined>
2018-03-09 17:31:17,835 DEBUG
[org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing
[org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent@172ccf1b[assertion=org.apereo.cas.authentication.DefaultAuthentication@b6dfcda9:org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML],serviceTicket=ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f]]>
2018-03-09 17:31:17,835 DEBUG
[org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] -
<Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-03-09 17:31:17,835 DEBUG
[org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] -
<Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-03-09 17:31:17,835 DEBUG
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket
[ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f]
has expired and is now removed from the cache>
2018-03-09 17:31:17,836 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: christian.koehn
WHAT:
ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Mar 09 17:31:17 UTC 2018
CLIENT IP ADDRESS: 195.34.89.139
SERVER IP ADDRESS: 172.17.0.7
=============================================================
>
2018-03-09 17:31:17,836 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Initiating transaction commit>
2018-03-09 17:31:17,836 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Resuming suspended transaction after completion of inner transaction>
2018-03-09 17:31:17,837 DEBUG
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
<Initiating transaction commit>
2018-03-09 17:31:17,837 DEBUG
[org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] -
<Is validation specification set to enforce [renew] protocol behavior?
[no]. Is assertion issued from a new login? [yes]>
2018-03-09 17:31:17,837 DEBUG
[org.apereo.cas.validation.Cas20ProtocolValidationSpecification] -
<Assertion is always satisfied>
2018-03-09 17:31:17,837 DEBUG
[org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] -
<Validation specification is satisfied by the produced assertion>
2018-03-09 17:31:17,837 DEBUG
[org.apereo.cas.web.AbstractServiceValidateController] - <Locating the
primary authentication associated with this service request
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@339f135[id=https://ckoewiki.dev.mydomain.com/bin/view,originalUrl=https://ckoewiki.dev.mydomain.com/bin/view,artifactId=<null>,principal=christian.koehn,loggedOutAlready=false,format=XML]]>
2018-03-09 17:31:17,838 DEBUG
[org.apereo.cas.web.AbstractServiceValidateController] - <No particular
authentication context is required for this request>
2018-03-09 17:31:17,838 DEBUG
[org.apereo.cas.web.AbstractServiceValidateController] - <No service
credentials specified, and/or the proxy handler [Cas20ProxyHandler] cannot
handle credentials>
2018-03-09 17:31:17,838 DEBUG
[org.apereo.cas.web.AbstractServiceValidateController] - <Successfully
validated service ticket
[ST-3-RDJ-f7lR48DOdqQu3PtswaToJVgn4-yjlnB9rTXiEj2t1uJ1VbMsiwLu-u2-S3PV7K2pVkaJa5ZT3G7ZxBQ0H8TvN5Fqof9eNXLRPaUCpCOxJwLJiafTahsvvM1Ii7IZrVDfyK6M-dzoKqhRpKy1lIC2k6WFHPJK-d3b1dff9cf2f]
for service [https://ckoewiki.dev.mydomain.com/bin/view]>
2018-03-09 17:31:17,838 DEBUG
[org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Preparing
the output model [[assertion, service,
org.springframework.validation.BindingResult.assertion,
org.springframework.validation.BindingResult.service]] to render view
[Cas30ResponseView]>
2018-03-09 17:31:17,838 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] -
<Prepared CAS response output model with attribute names [[assertion,
service, org.springframework.validation.BindingResult.assertion,
org.springframework.validation.BindingResult.service, principal,
chainedAuthentications, primaryAuthentication]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Processed response principal attributes from the output model to be [[]]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<CAS is configured to release protocol-level attributes. Processing...>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Processed response protocol/authentication attributes from the output
model to be [[credentialType, longTermAuthenticationRequestTokenUsed,
isFromNewLogin, authenticationDate, authenticationMethod,
successfulAuthenticationHandlers]]>
2018-03-09 17:31:17,839 DEBUG
[org.apereo.cas.services.web.view.AbstractCasView] - <Obtained [credential]
as an authentication attribute>
2018-03-09 17:31:17,839 DEBUG
[org.apereo.cas.services.web.view.AbstractCasView] - <Attribute release
policy for [https://ckoewiki.dev.mydomain.com/bin/view] does not authorize
the release of [credential]>
2018-03-09 17:31:17,839 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Final collection of attributes for the response are [[credentialType,
isFromNewLogin, authenticationDate, authenticationMethod,
successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]].>
2018-03-09 17:31:17,840 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Beginning to encode attributes for the response>
2018-03-09 17:31:17,840 DEBUG
[org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] -
<Starting to encode attributes for release to service [id=2,name=CKOE
wiki,description=Only ckoe wiki auth with
proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]>
2018-03-09 17:31:17,840 DEBUG
[org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder]
- <[credential] is not available as a cached model attribute to encrypt...>
2018-03-09 17:31:17,840 DEBUG
[org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder]
- <[proxyGrantingTicket] is not available as a cached model attribute to
encrypt...>
2018-03-09 17:31:17,840 DEBUG
[org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder]
- <Sanitizing attribute names in preparation of the final validation
response>
2018-03-09 17:31:17,841 DEBUG
[org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder] -
<[6] encoded attributes are available for release to [id=2,name=CKOE
wiki,description=Only ckoe wiki auth with
proxy,serviceId=https://ckoewiki.dev.mydomain.com/bin/view,usernameAttributeProvider=usernameAttribute=uid,<null>,theme=<null>,evaluationOrder=2,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7f1d52ab[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@69b4e5c5[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@28119a6c[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@2c557772[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=org.apereo.cas.services.RegisteredServicePublicKeyImpl@3948e059[location=file:/etc/cas/ubxnet.key,algorithm=RSA],proxyPolicy=org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy@771cb078[^https?://.*],logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@537a960d[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@549395f7[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]:
[[credentialType, isFromNewLogin, authenticationDate, authenticationMethod,
successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Encoded attributes for the response are
[{credentialType=RememberMeUsernamePasswordCredential,
isFromNewLogin=[true], authenticationDate=[2018-03-09T17:31:17.498Z[UTC]],
authenticationMethod=LdapAuthenticationHandler,
successfulAuthenticationHandlers=[LdapAuthenticationHandler],
longTermAuthenticationRequestTokenUsed=[false]}]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Beginning to format/render attributes for the response>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Formatted attribute for the response:
[<cas:credentialType>RememberMeUsernamePasswordCredential</cas:credentialType>]>
2018-03-09 17:31:17,841 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Formatted attribute for the response:
[<cas:isFromNewLogin>true</cas:isFromNewLogin>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Formatted attribute for the response:
[<cas:authenticationDate>2018-03-09T17:31:17.498Z[UTC]</cas:authenticationDate>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Formatted attribute for the response:
[<cas:authenticationMethod>LdapAuthenticationHandler</cas:authenticationMethod>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Formatted attribute for the response:
[<cas:successfulAuthenticationHandlers>LdapAuthenticationHandler</cas:successfulAuthenticationHandlers>]>
2018-03-09 17:31:17,842 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<Formatted attribute for the response:
[<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>]>
2018-03-09 17:31:17,842 DEBUG
[org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Prepared
output model with objects [assertion]. Now rendering view...>
I had the assumption that maybe something with my encryption key is wrong
(or what I put in the "location" parameter in the service config), but
after investigation of the line
2018-03-09 17:31:17,840 DEBUG
[org.apereo.cas.authentication.support.DefaultCasProtocolAttributeEncoder]
- <[proxyGrantingTicket] is not available as a cached model attribute to
encrypt...>
I read
https://github.com/apereo/cas/blob/master/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.java
So I guess I miss an essential thing here. How can I get the PGT into the
attribute cache?
This:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#clearpass
seems only to be necessary for the credentials... or am I wrong?
Any help is highly appreciated.
Thanks and regards,
Christian
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/edf16932-48bd-4114-8827-b286f8767c08%40apereo.org.
