Well, I stumbled across a few config properties I decided to try (desperate people do desperate things...)
cas.http-web-request.cors.allow-credentials=true # ? where are login requests coming from? Our webapp server name(s) # is this needed to get the final redirect back to our app ?? cas.http-web-request.cors.allow-origins=localhost # ?? cas.webflow.redirect-same-state=true Restarted CAS, same test case. now I see this warning log: 2018-04-19 15:47:48,430 WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management: missing service. Service [ https://localhost:8449/callback?client_name=CasClient] is not found in service registry.> ^^^^ I have to have a Service defined for the call back to the initial app ??? 2018-04-19 15:47:48,432 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to handle [org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@5fad865 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause [org.apereo.cas.services.UnauthorizedServiceException: Service Management: missing service. Service [https://localhost:8449/callback?client_name=CasClient] is not found in service registry.]> Has anyone actually gotten delegated authentication to flow from CAS back to an app that used the CAS protocol to request authentication to work? using CAS 5.2.x ? Reading tons of CAS docs have provided no magic beans, nor did any page mention having to have a call back service defined... Am I frustrated? You bet. Is it correct for me to assume that this use case is 'typical' and that being tyhttps://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical, the default webflow definitions in CAS 5.2.2 ought to provide for it working? The docs at https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html certainly suggest to me that's the case. Sure would like to make use of many of the positive features described in CAS 5.2.x. But I have to wonder if I'm missing much of the necessary details. I would like to avoid implementing all the features myself. Never been a big fan of the "let's reinvent the wheel" school of development. But... Any insights, magic beans greatly appreciated. -steve On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote: > > Hi Jérôme, > I found an earlier posting > <https://groups.google.com/a/apereo.org/d/msg/cas-user/bGZam9qkP3E/IKPTYzp7AQAJ> > > from 12/21/17 regarding the NPEs, so as suggested by that posting, I > restarted CAS & then cleared all related cookies from the browser. Once I > restart CAS & re-initiated the same flow, no more NPE as shown in my log. > But I still have the problem with the webflow not finishing as I expect. > I increased the log level to trace on a few packages: > org.apereo.cas.web.flow > org.springframework.webflow > org.springframework.session > org.springframework.web > org.springframework.web.socket > Some log entries of interest (to me): (and I'm currently guessing the > issue may be related to a SSO log msg at 2018-04-19 11:53:23,186 below. > Why would a service not be allowed to use SSO ? > -steve > > 2018-04-19 11:53:01,183 TRACE > [org.springframework.web.servlet.DispatcherServlet] - <Bound request > context to thread: org.apache.catalina.connector.RequestFacade@33327a12> > <- this object ref# shows up later, at the bottom so I'm correlating > this initial log with the later ('completion' ) log msg below with the same > object ref#... > 2018-04-19 11:53:01,183 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet > with name 'dispatcherServlet' processing GET request for [/cas/login]> > > 2018-04-19 11:53:01,209 TRACE > [org.apereo.cas.web.CasWebApplicationContext] - <Publishing event in > org.apereo.cas.web.CasWebApplicationContext@222545dc: > ServletRequestHandledEvent: url=[/cas/login]; client=[0:0:0:0:0:0:0:1]; > method=[GET]; servlet=[dispatcherServlet]; > session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms]; > status=[OK]> <- From the pac4j demo's SecurityFilter redirect to initial > request on /cas/index.jsp > > 2018-04-19 11:53:22,914 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet > with name 'dispatcherServlet' processing GET request for [/cas/login]> > > 2018-04-19 11:53:22,921 TRACE > [org.springframework.web.servlet.DispatcherServlet] - <Testing handler map > [org.springframework.webflow.mvc.servlet.FlowHandlerMapping@2ee91bdf] in > DispatcherServlet with name 'dispatcherServlet'> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping > request with URI '/cas/login' to flow with id 'login'> > > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new > execution of flow 'login' with input map['state' -> > 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> > '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', > > 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', > 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] > - <Getting FlowDefinition with id 'login'> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - > <Creating new execution of 'login'> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Starting in > org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f with > input map['state' -> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' > -> > '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', > > 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', > 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> > 2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.Flow] - > <Creating [FlowVariable@c58f8bd name = 'credential', valueFactory = > [BeanFactoryVariableValueFactory@5cab14e3 type = > UsernamePasswordCredential]]> > 2018-04-19 11:53:22,922 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - <Executing > [EvaluateAction@29e2f697 expression = initialFlowSetupAction, > resultExpression = [null]]> > 2018-04-19 11:53:22,922 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - <Executing > org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f> > 2018-04-19 11:53:22,922 DEBUG > [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is > set to [null] and path [/cas/]> > 2018-04-19 11:53:22,922 DEBUG > [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set > to [null] and path [/cas/]> > 2018-04-19 11:53:22,923 DEBUG > [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - > <No service is specified in the request. Skipping service creation> > 2018-04-19 11:53:22,923 DEBUG > [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could > be extracted based on the given request> > 2018-04-19 11:53:22,923 DEBUG > [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not > generate service.> > 2018-04-19 11:53:22,924 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - <Finished > executing org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f; result = > success> > [...] > 2018-04-19 11:53:22,924 DEBUG > [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication > response successful> > 2018-04-19 11:53:23,183 DEBUG > [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token > response: status=200, content={ > "access_token": > "ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA", > "token_type": "Bearer", > "expires_in": 3599, > "id_token": "eyJhbGc [...]DQ" > } > > > 2018-04-19 11:53:23,184 DEBUG > [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token > response successful> > 2018-04-19 11:53:23,184 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - > <Credentials validation took: 260 ms> > 2018-04-19 11:53:23,184 DEBUG > [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] > - <Retrieved credentials: [#OidcCredentials# | code: > 4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME > > | clientName: GoogleOIDC | accessToken: > ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA > > | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@65ff182d |]> > 2018-04-19 11:53:23,184 DEBUG > [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] > - <Retrieve service: > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= > https://localhost:8449/callback?client_name=CasClient,originalUrl= > https://localhost:8449/callback?client_name=CasClient > ,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]> > ^^^^ so CAS has the callback to > provide the pac4j demo the credentials > > 2018-04-19 11:53:23,186 TRACE [org.apereo.cas.util.CollectionUtils] - > <Converting attribute > [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler@462b239f]> > 2018-04-19 11:53:23,186 WARN > [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] > > - <Service [null] is not allowed to use SSO.> > 2018-04-19 11:53:23,187 TRACE > [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving > principal at audit point [execution(Authentication > org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(Authentication > Transaction))]> > 2018-04-19 11:53:23,187 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > [...] > 2018-04-19 11:53:23,190 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting > to handle [org.springframework.webflow.execution.ActionExecutionException: > Exception thrown executing org.apereo.cas.support.pac4j.web.f > low.DelegatedClientAuthenticationAction@7ce721a9 in state 'clientAction' > of flow 'login' -- action execution attributes were 'map[[empty]]'] > org.springframework.webflow.execution.ActionExecutionException: Exception > thrown executing > org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@7ce721a9 > > in state 'clientAction' of flow 'login' -- action execution attributes were > 'map[[empty]]' > at > org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at org.springframework.webflow.engine.State.enter(State.java:194) > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at org.springframework.webflow.engine.Flow.start(Flow.java:527) > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) > > ~[spring-webflow-2.4.6.RELEASE.j > > > 2018-04-19 11:53:23,211 DEBUG > [org.springframework.webflow.mvc.view.AbstractMvcView] - <Rendering MVC > [org.thymeleaf.spring4.view.ThymeleafView@5a9194a2] with model map > [{passwordManagementEnabled=false, recaptchaSiteKey=null, > viewScope=map[[empty]], warnCookieValue=false, > org.springframework.validation.BindingResult.credential=org.springframework.webflow.mvc.view.BindingModel: > > 0 errors, staticAuthentication=true, > flowExecutionUrl=/cas/login?client_name=GoogleOIDC&state=ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s&code=4%2FAAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME&authuser=0&session_state > =6cd666a9989ac714aac38521f950f380ba3fcfc0..b199&prompt=none& > execution=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAAA [...] AAA%3D, > rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: > service.not.authorized.sso, > flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = > org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, > currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> > [null]], attributes = map[[empty]], messageContext = > [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> > list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = > 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', > state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, > 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], > 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> > false, 'staticAuthentication' -> true, 'service' -> > org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= > https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], > > 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], > 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, > currentUser=null, credential=null, > flowExecutionKey=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAA > [...] AA%3D, > rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: > service.not.authorized.sso, > flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = > org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, > currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> > [null]], attributes = map[[empty]], messageContext = > [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> > list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = > 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', > state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, > 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], > 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> > false, 'staticAuthentication' -> true, 'service' -> > org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= > https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], > > 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], > 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, > currentUser=null, credential=null, flowExecutionKey=35aa2986 > > [...] > 2018-04-19 11:53:23,237 DEBUG > [org.apereo.cas.services.web.ChainingThemeResolver] - <No specific theme > could be found. Using default theme [cas-theme-default}> > 2018-04-19 11:53:23,266 DEBUG > [org.springframework.webflow.engine.Transition] - <Completed transition > execution. As a result, the new state is 'viewLoginForm' in flow 'login'> > 2018-04-19 11:53:23,267 TRACE > [org.springframework.web.servlet.DispatcherServlet] - <Cleared thread-bound > request context: org.apache.catalina.connector.RequestFacade@33327a12> <- > same object ref# as in the initial above log msg. > 2018-04-19 11:53:23,267 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <Successfully > completed request> > > > > >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2-84314c92aa54%40apereo.org.
