Hi,

I'm glad to see that you confirm the bug. I'll try to make a Pull Request, 
but I need to setup a full CAS dev env before.

Regards,

Charles


Le mercredi 23 mai 2018 18:59:17 UTC+2, Christian Poirier a écrit :
>
> I think I know what you mean by "is buggy". I check the code and it misses 
> something. The webflow is not configured correctly even if you configure to 
> use hostname filter and/or IP address filter. It just jumps directly to 
> SPNEGO negotiate transition. I corrected this with the changes I made to 
> the code. There was no way to choose to go directly to SPNEGO or evaluate 
> the client before starts SPNEGO.
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-23 1:58 GMT-04:00 Charles Le Gallic <cha...@amoae.com 
> <javascript:>>:
>
>> Ok thanks. Let me know if you can confirm that current native 
>> implementation is buggy.
>>
>> Regards,
>>
>> Charles
>>
>> <http://www.amoae.com/>
>> 12, impasse du Malrigou, 31140 Montberon 
>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g>
>> con...@amoae.com <javascript:> | 06 24 73 04 98 | *amoae.com* 
>> <http://amoae.com/>
>>
>>
>> Le mer. 23 mai 2018 à 04:46, Christian Poirier <chris...@gmail.com 
>> <javascript:>> a écrit :
>>
>>> Hi Charles
>>>
>>> Yes I did, but with my own development and my properties. I will check 
>>> if I can implement with Client Access Strategy by implementing my own 
>>> SPNEGO Service Access Strategy
>>>
>>> Christian Poirier
>>> Mobile: 418-473-2824
>>>
>>> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic <cha...@amoae.com 
>>> <javascript:>>:
>>>
>>>> Hi Christian,
>>>>
>>>> Did you achieved to make IP based SPNEGO client selection works on CAS 
>>>> 5.x ?
>>>>
>>>> In that case, is there any other configuration to setup in addition to 
>>>> cas.properties configuration ?
>>>>
>>>> Regards,
>>>>
>>>> Charles
>>>>
>>>> <http://www.amoae.com/>
>>>> 12, impasse du Malrigou, 31140 Montberon 
>>>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g>
>>>> con...@amoae.com <javascript:> | 06 24 73 04 98 | *amoae.com* 
>>>> <http://amoae.com/>
>>>>
>>>>
>>>> Le ven. 18 mai 2018 à 14:14, Christian Poirier <chris...@gmail.com 
>>>> <javascript:>> a écrit :
>>>>
>>>>> Hi Charles
>>>>>
>>>>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. 
>>>>> The webflow logic is built in the code.
>>>>> I will check if the implementation based on a 
>>>>> RegisteredServiceAccessStrategy is possible.
>>>>>
>>>>> Christian Poirier
>>>>> Mobile: 418-473-2824
>>>>>
>>>>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <cha...@amoae.com 
>>>>> <javascript:>>:
>>>>>
>>>>>> Hi Christian,
>>>>>>
>>>>>> Which version of CAS do you use ?
>>>>>>
>>>>>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML 
>>>>>> spring configurations). SPNEGO client selection strategy was working on 
>>>>>> 4.x 
>>>>>> version, but I cannot make it work after having upgrade to CAS 5.1.x....
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Charles
>>>>>>
>>>>>> <http://www.amoae.com/>
>>>>>> 12, impasse du Malrigou, 31140 Montberon 
>>>>>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g>
>>>>>> con...@amoae.com <javascript:> | 06 24 73 04 98 | *amoae.com* 
>>>>>> <http://amoae.com/>
>>>>>>
>>>>>>
>>>>>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <chris...@gmail.com 
>>>>>> <javascript:>> a écrit :
>>>>>>
>>>>>>> Hi Nicolas,
>>>>>>>
>>>>>>> In our organization, we need to let the user choose between the 
>>>>>>> default login and SPNEGO upon a list of criteria and sometimes we need 
>>>>>>> to 
>>>>>>> go directly to the SPNEGO authentication upon other criteria. For this 
>>>>>>> feature, I extended the SPNEGO module. I show a button with the label 
>>>>>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular 
>>>>>>> expression. When the service matches a regular expression and the IP 
>>>>>>> address also matches its regular expression, I force SPNEGO 
>>>>>>> authentication 
>>>>>>> without giving the user the chance to authenticate otherwise. If none 
>>>>>>> of 
>>>>>>> the previous conditions are present, then the user must authenticate 
>>>>>>> normally with his user ID and password.
>>>>>>> If you look the following webflow, you will find this logic inside.
>>>>>>>
>>>>>>> <var name="credentials" class=
>>>>>>> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" 
>>>>>>> />
>>>>>>>
>>>>>>> <on-start>
>>>>>>>
>>>>>>> <evaluate expression="initialFlowSetupAction" />
>>>>>>>
>>>>>>>        <set name="flowScope.displaySPNegoButton" value="false" />
>>>>>>>
>>>>>>> </on-start>
>>>>>>>
>>>>>>>
>>>>>>> <decision-state id="ticketGrantingTicketExistsCheck">
>>>>>>>
>>>>>>>   <if test="flowScope.ticketGrantingTicketId neq null" then=
>>>>>>> "hasServiceCheck" else="gatewayRequestCheck" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <decision-state id="gatewayRequestCheck">
>>>>>>>
>>>>>>>       <if test="externalContext.requestParameterMap['gateway'] neq 
>>>>>>> '' &amp;&amp; externalContext.requestParameterMap['gateway'] neq null 
>>>>>>> &amp;&amp; flowScope.service neq null" then=
>>>>>>> "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <decision-state id="hasServiceCheck">
>>>>>>>
>>>>>>>   <if test="flowScope.service != null" then="renewRequestCheck" else
>>>>>>> ="viewGenericLoginSuccess" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <decision-state id="renewRequestCheck">
>>>>>>>
>>>>>>> <if test="externalContext.requestParameterMap['renew'] neq '' 
>>>>>>> &amp;&amp; externalContext.requestParameterMap['renew'] neq null" 
>>>>>>> then="startAuthenticateCheck" else="generateServiceTicket" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <!-- 
>>>>>>>
>>>>>>>    The "warn" action makes the determination of whether to redirect 
>>>>>>> directly to the requested
>>>>>>>
>>>>>>>      service or display the "confirmation" page to go back to the 
>>>>>>> server.
>>>>>>>
>>>>>>> -->
>>>>>>>
>>>>>>> <decision-state id="warn">
>>>>>>>
>>>>>>>       <if test="flowScope.warnCookieValue" then="showWarningView" 
>>>>>>> else="redirect" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <!-- 
>>>>>>>
>>>>>>> <action-state id="startAuthenticate">
>>>>>>>
>>>>>>>      <action bean="x509Check" />
>>>>>>>
>>>>>>>     <transition on="success" to="sendTicketGrantingTicket" />
>>>>>>>
>>>>>>>       <transition on="warn" to="warn" />
>>>>>>>
>>>>>>>      <transition on="error" to="generateLoginTicket" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>> -->
>>>>>>>
>>>>>>> <decision-state id="startAuthenticateCheck">
>>>>>>>
>>>>>>>       <if test="externalContext.requestParameterMap['spnego'] neq 
>>>>>>> '' &amp;&amp; externalContext.requestParameterMap['spnego'] neq null 
>>>>>>> &amp;&amp; externalContext.requestParameterMap['spnego'] eq 'off'" 
>>>>>>> then="generateLoginTicket" else="spnegoForceCheckAction" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <decision-state id="spnegoForceCheckAction">
>>>>>>>
>>>>>>>    <if test="externalContext.requestParameterMap['forcespnego'] neq 
>>>>>>> '' &amp;&amp; externalContext.requestParameterMap['forcespnego'] neq 
>>>>>>> null 
>>>>>>> &amp;&amp; externalContext.requestParameterMap['forcespnego'] eq 
>>>>>>> 'true'" 
>>>>>>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>>>>>>>
>>>>>>> </decision-state>
>>>>>>>
>>>>>>>
>>>>>>> <action-state id="spnegoAppCheckAction">
>>>>>>>
>>>>>>>        <evaluate expression="spNegoAppCheck" />
>>>>>>>
>>>>>>>        <transition on="yes" to="spnegoIPCheckAction2" />
>>>>>>>
>>>>>>>       <transition on="no" to="spnegoIPCheckAction" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>>
>>>>>>> <action-state id="spnegoIPCheckAction">
>>>>>>>
>>>>>>> <evaluate expression="spNegoIPCheck" />
>>>>>>>
>>>>>>> <transition on="yes" to="generateLoginTicket" >
>>>>>>>
>>>>>>>         <set name="flowScope.displaySPNegoButton" value="true" />   
>>>>>>>               
>>>>>>>
>>>>>>>       </transition>
>>>>>>>
>>>>>>>   <transition on="no" to="generateLoginTicket" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>>
>>>>>>> <action-state id="spnegoIPCheckAction2">
>>>>>>>
>>>>>>>        <evaluate expression="spNegoIPCheck" />
>>>>>>>
>>>>>>> <transition on="yes" to="startAuthenticate" />
>>>>>>>
>>>>>>>  <transition on="no" to="generateLoginTicket" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>>
>>>>>>> <action-state id="startAuthenticate">
>>>>>>>
>>>>>>>   <evaluate expression="negociateSpnego" />
>>>>>>>
>>>>>>>       <transition on="success" to="spnego" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>>
>>>>>>> <action-state id="spnego">
>>>>>>>
>>>>>>>      <evaluate expression="spnego" />
>>>>>>>
>>>>>>>        <transition on="success" to="sendTicketGrantingTicket" />
>>>>>>>
>>>>>>>       <transition on="error" to="generateLoginTicket" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>>
>>>>>>> <action-state id="generateLoginTicket">
>>>>>>>
>>>>>>> <evaluate expression=
>>>>>>> "generateLoginTicketAction.generate(flowRequestContext)" />
>>>>>>>
>>>>>>>        <transition on="success" to="viewLoginForm" />
>>>>>>>
>>>>>>> </action-state>
>>>>>>>
>>>>>>>
>>>>>>> Here are my new spnego.properties
>>>>>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to 
>>>>>>> the SPNEGO by changing the succes transition of initialLoginForm 
>>>>>>> action-state 
>>>>>>> to startSpnegoAuthenticate
>>>>>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate 
>>>>>>> the client based on the client action strategy defined in 
>>>>>>> evaluateClientActionStrategy. 
>>>>>>>
>>>>>>> #                                                     It changes the 
>>>>>>> success transition of initialLoginForm action-state to 
>>>>>>> evaluateClientRequest
>>>>>>> cas.authn.
>>>>>>>
>>>>>> ...
>>
>> [Message tronqué]  
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f261cfb-1933-43f9-ad8a-c7995e91eec3%40apereo.org.

Reply via email to