Well, I stumbled across a few config properties I decided to try (desperate people do desperate things...)
cas.http-web-request.cors.allow-credentials=true # ? where are login requests coming from? Our webapp server name(s) # is this needed to get the final redirect back to our app ?? cas.http-web-request.cors.allow-origins=localhost # ?? cas.webflow.redirect-same-state=true Restarted CAS, same test case. now I see this warning log: 2018-04-19 15:47:48,430 WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - <Service Management: missing service. Service [ https://localhost:8449/callback?client_name=CasClient] is not found in service registry.> ^^^^ I have to have a Service defined for the call back to the initial app ??? 2018-04-19 15:47:48,432 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to handle [org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@5fad865 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause [org.apereo.cas.services.UnauthorizedServiceException: Service Management: missing service. Service [https://localhost:8449/callback?client_name=CasClient] is not found in service registry.]> Has anyone actually gotten delegated authentication to flow from CAS back to an app that used the CAS protocol to request authentication to work? using CAS 5.2.x ? Reading tons of CAS docs have provided no magic beans, nor did any page mention having to have a call back service defined... Am I frustrated? You bet. Is it correct for me to assume that this use case is 'typical' and that being tyhttps://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical, the default webflow definitions in CAS 5.2.2 ought to provide for it working? The docs at https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html certainly suggest to me that's the case. Sure would like to make use of many of the positive features described in CAS 5.2.x. But I have to wonder if I'm missing much of the necessary details. I would like to avoid implementing all the features myself. Never been a big fan of the "let's reinvent the wheel" school of development. But... Any insights, magic beans greatly appreciated. -steve On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote: > > Hi Jérôme, > I found an earlier posting > <https://groups.google.com/a/apereo.org/d/msg/cas-user/bGZam9qkP3E/IKPTYzp7AQAJ> > > from 12/21/17 regarding the NPEs, so as suggested by that posting, I > restarted CAS & then cleared all related cookies from the browser. Once I > restart CAS & re-initiated the same flow, no more NPE as shown in my log. > But I still have the problem with the webflow not finishing as I expect. > I increased the log level to trace on a few packages: > org.apereo.cas.web.flow > org.springframework.webflow > org.springframework.session > org.springframework.web > org.springframework.web.socket > Some log entries of interest (to me): (and I'm currently guessing the > issue may be related to a SSO log msg at 2018-04-19 11:53:23,186 below. > Why would a service not be allowed to use SSO ? > -steve > > 2018-04-19 11:53:01,183 TRACE > [org.springframework.web.servlet.DispatcherServlet] - <Bound request > context to thread: org.apache.catalina.connector.RequestFacade@33327a12> > <- this object ref# shows up later, at the bottom so I'm correlating > this initial log with the later ('completion' ) log msg below with the same > object ref#... > 2018-04-19 11:53:01,183 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet > with name 'dispatcherServlet' processing GET request for [/cas/login]> > > 2018-04-19 11:53:01,209 TRACE > [org.apereo.cas.web.CasWebApplicationContext] - <Publishing event in > org.apereo.cas.web.CasWebApplicationContext@222545dc: > ServletRequestHandledEvent: url=[/cas/login]; client=[0:0:0:0:0:0:0:1]; > method=[GET]; servlet=[dispatcherServlet]; > session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms]; > status=[OK]> <- From the pac4j demo's SecurityFilter redirect to initial > request on /cas/index.jsp > > 2018-04-19 11:53:22,914 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <DispatcherServlet > with name 'dispatcherServlet' processing GET request for [/cas/login]> > > 2018-04-19 11:53:22,921 TRACE > [org.springframework.web.servlet.DispatcherServlet] - <Testing handler map > [org.springframework.webflow.mvc.servlet.FlowHandlerMapping@2ee91bdf] in > DispatcherServlet with name 'dispatcherServlet'> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping > request with URI '/cas/login' to flow with id 'login'> > > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new > execution of flow 'login' with input map['state' -> > 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> > '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', > > 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', > 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] > - <Getting FlowDefinition with id 'login'> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - > <Creating new execution of 'login'> > 2018-04-19 11:53:22,921 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Starting in > org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f with > input map['state' -> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' > -> > '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME', > > 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', > 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']> > 2018-04-19 11:53:22,921 DEBUG [org.springframework.webflow.engine.Flow] - > <Creating [FlowVariable@c58f8bd name = 'credential', valueFactory = > [BeanFactoryVariableValueFactory@5cab14e3 type = > UsernamePasswordCredential]]> > 2018-04-19 11:53:22,922 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - <Executing > [EvaluateAction@29e2f697 expression = initialFlowSetupAction, > resultExpression = [null]]> > 2018-04-19 11:53:22,922 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - <Executing > org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f> > 2018-04-19 11:53:22,922 DEBUG > [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is > set to [null] and path [/cas/]> > 2018-04-19 11:53:22,922 DEBUG > [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set > to [null] and path [/cas/]> > 2018-04-19 11:53:22,923 DEBUG > [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - > <No service is specified in the request. Skipping service creation> > 2018-04-19 11:53:22,923 DEBUG > [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could > be extracted based on the given request> > 2018-04-19 11:53:22,923 DEBUG > [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not > generate service.> > 2018-04-19 11:53:22,924 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - <Finished > executing org.apereo.cas.web.flow.InitialFlowSetupAction@1c5e2d2f; result = > success> > [...] > 2018-04-19 11:53:22,924 DEBUG > [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication > response successful> > 2018-04-19 11:53:23,183 DEBUG > [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token > response: status=200, content={ > "access_token": > "ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA", > "token_type": "Bearer", > "expires_in": 3599, > "id_token": "eyJhbGc [...]DQ" > } > > > 2018-04-19 11:53:23,184 DEBUG > [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token > response successful> > 2018-04-19 11:53:23,184 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - > <Credentials validation took: 260 ms> > 2018-04-19 11:53:23,184 DEBUG > [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] > - <Retrieved credentials: [#OidcCredentials# | code: > 4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME > > | clientName: GoogleOIDC | accessToken: > ya29.GlyiBcpAH4iGUOnL7YWwmsCjl_Mbap24wouWyPh4CzDAHXJgozy5a6GZWfl6c8VEeQcgBSU6p2eWtWnhvXK1tZh8LsAmro4-24d4906l4m-XoWzvESO-Cac1SS8osA > > | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@65ff182d |]> > 2018-04-19 11:53:23,184 DEBUG > [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] > - <Retrieve service: > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= > https://localhost:8449/callback?client_name=CasClient,originalUrl= > https://localhost:8449/callback?client_name=CasClient > ,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]> > ^^^^ so CAS has the callback to > provide the pac4j demo the credentials > > 2018-04-19 11:53:23,186 TRACE [org.apereo.cas.util.CollectionUtils] - > <Converting attribute > [org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler@462b239f]> > 2018-04-19 11:53:23,186 WARN > [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] > > - <Service [null] is not allowed to use SSO.> > 2018-04-19 11:53:23,187 TRACE > [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving > principal at audit point [execution(Authentication > org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(Authentication > Transaction))]> > 2018-04-19 11:53:23,187 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > [...] > 2018-04-19 11:53:23,190 DEBUG > [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting > to handle [org.springframework.webflow.execution.ActionExecutionException: > Exception thrown executing org.apereo.cas.support.pac4j.web.f > low.DelegatedClientAuthenticationAction@7ce721a9 in state 'clientAction' > of flow 'login' -- action execution attributes were 'map[[empty]]'] > org.springframework.webflow.execution.ActionExecutionException: Exception > thrown executing > org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@7ce721a9 > > in state 'clientAction' of flow 'login' -- action execution attributes were > 'map[[empty]]' > at > org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at org.springframework.webflow.engine.State.enter(State.java:194) > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at org.springframework.webflow.engine.Flow.start(Flow.java:527) > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) > > ~[spring-webflow-2.4.6.RELEASE.jar!/:2.4.6.RELEASE] > at > org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) > > ~[spring-webflow-2.4.6.RELEASE.j > > > 2018-04-19 11:53:23,211 DEBUG > [org.springframework.webflow.mvc.view.AbstractMvcView] - <Rendering MVC > [org.thymeleaf.spring4.view.ThymeleafView@5a9194a2] with model map > [{passwordManagementEnabled=false, recaptchaSiteKey=null, > viewScope=map[[empty]], warnCookieValue=false, > org.springframework.validation.BindingResult.credential=org.springframework.webflow.mvc.view.BindingModel: > > 0 errors, staticAuthentication=true, > flowExecutionUrl=/cas/login?client_name=GoogleOIDC&state=ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s&code=4%2FAAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME&authuser=0&session_state > =6cd666a9989ac714aac38521f950f380ba3fcfc0..b199&prompt=none& > execution=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAAA [...] AAA%3D, > rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: > service.not.authorized.sso, > flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = > org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, > currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> > [null]], attributes = map[[empty]], messageContext = > [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> > list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = > 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', > state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, > 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], > 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> > false, 'staticAuthentication' -> true, 'service' -> > org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= > https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], > > 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], > 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, > currentUser=null, credential=null, > flowExecutionKey=35aa2986-8f39-4b7f-8a78-4a69bb475c54_H4sIAAAAA > [...] AA%3D, > rootCauseException=org.apereo.cas.services.UnauthorizedSsoServiceException: > service.not.authorized.sso, > flowRequestContext=[RequestControlContextImpl@2b4c688c externalContext = > org.springframework.webflow.mvc.servlet.MvcExternalContext@408aeb6f, > currentEvent = [null], requestScope = map['ticketGrantingTicketId' -> > [null]], attributes = map[[empty]], messageContext = > [DefaultMessageContext@46184e22 sourceMessages = map[[null] -> > list[[empty]]]], flowExecution = [FlowExecutionImpl@7e5c67f1 flow = > 'login', flowSessions = list[[FlowSessionImpl@4157062f flow = 'login', > state = 'viewLoginForm', scope = map['passwordManagementEnabled' -> false, > 'rememberMeAuthenticationEnabled' -> false, 'recaptchaSiteKey' -> [null], > 'viewScope' -> map[[empty]], 'credential' -> null, 'warnCookieValue' -> > false, 'staticAuthentication' -> true, 'service' -> > org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@62347e06[id= > https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML], > > 'ticketGrantingTicketId' -> [null], 'googleAnalyticsTrackingId' -> [null], > 'trackGeoLocation' -> false]]]]], rememberMeAuthenticationEnabled=false, > currentUser=null, credential=null, flowExecutionKey=35aa2986 > > [...] > 2018-04-19 11:53:23,237 DEBUG > [org.apereo.cas.services.web.ChainingThemeResolver] - <No specific theme > could be found. Using default theme [cas-theme-default}> > 2018-04-19 11:53:23,266 DEBUG > [org.springframework.webflow.engine.Transition] - <Completed transition > execution. As a result, the new state is 'viewLoginForm' in flow 'login'> > 2018-04-19 11:53:23,267 TRACE > [org.springframework.web.servlet.DispatcherServlet] - <Cleared thread-bound > request context: org.apache.catalina.connector.RequestFacade@33327a12> <- > same object ref# as in the initial above log msg. > 2018-04-19 11:53:23,267 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <Successfully > completed request> > > > > >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b04acace-f3d2-4d4e-a4e2-84314c92aa54%40apereo.org.
