We're interested in using surrogate authentication for some support staff.
I had done a quick proof-of-concept under CAS 5.2.x a while ago, enough to
demonstrate it worked. We are now working with 5.3.3 and starting to build
the actual functionality, but are running into a problem. I'm using a
static entry in the cas.properties file and have removed several
dependencies added since the POC.

Some relevant snippets from the log are included below. I have run this
with DEBUG and did not see anything immediately more helpful.

You can see that the surrogate authorization is actually successful in the
first chunk and the service ticket is successfully validated. The problem
appears to be in the building of the validation response. It looks like
surrogate authentication changes at least one of the credential attributes
from a string to hash and causes this problem.

This seems somewhat similar to another thread related to the MFA bypass
functionality giving a INVALID_AUTHENTICATION_CONTEXT error, also when
building the response after successful service ticket validation.

Has anyone dealt with this type of issue?

Thanks,

-dirk

2018-09-10 14:09:38,399 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<{"who":"(Primary User: [[v*****]], Surrogate User:
[[t*****]])","what":"[result=Service Access Granted,service=
https://web.test/duo-validator/duo,requiredAttributes={}]","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Mon
Sep 10 14:09:38 UTC
2018","clientIpAddress":"192.168.34.1","serverIpAddress":"192.168.34.120"}>
2018-09-10 14:09:38,436 INFO
[org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket
[ST-1-UHQvQ88buWL-FRkdZBgbQxX0N78cas-1] for service [
https://web.test/duo-validator/duo] and principal [t*****]>
2018-09-10 14:09:38,442 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<{"who":"(Primary User: [[v*****]], Surrogate User:
[[t*****]])","what":"ST-1-UHQvQ88buWL-FRkdZBgbQxX0N78cas-1 for
https://web.test/duo-validator/duo","action":"SERVICE_TICKET_CREATED","application":"CAS","when":"Mon
Sep 10 14:09:38 UTC
2018","clientIpAddress":"192.168.34.1","serverIpAddress":"192.168.34.120"}>
...
2018-09-10 14:09:41,886 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<{"who":"(Primary User: [[v*****]], Surrogate User:
[[t****]])","what":"ST-1-UHQvQ88buWL-FRkdZBgbQxX0N78cas-1","action":"SERVICE_TICKET_VALIDATED","application":"CAS","when":"Mon
Sep 10 14:09:41 UTC
2018","clientIpAddress":"192.168.34.10","serverIpAddress":"192.168.34.120"}>
2018-09-10 14:09:41,944 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- <Servlet.service() for servlet [dispatcherServlet] in context with path
[/cas] threw exception [Request processing failed; nested exception is
java.lang.ClassCastException: java.util.LinkedHashSet cannot be cast to
java.lang.String] with root cause>
java.lang.ClassCastException: java.util.LinkedHashSet cannot be cast to
java.lang.String
  at
org.apereo.cas.services.web.view.AbstractCasView.getAuthenticationAttribute(AbstractCasView.java:160)
~[cas-server-core-web-api-5.3.3.jar!/:5.3.3]
  at
org.apereo.cas.services.web.view.AbstractCasView.decideIfCredentialPasswordShouldBeReleasedAsAttribute(AbstractCasView.java:309)
~[cas-server-core-web-api-5.3.3.jar!/:5.3.3]
  at
org.apereo.cas.web.view.Cas30ResponseView.prepareMergedOutputModel(Cas30ResponseView.java:73)
~[cas-server-support-validation-5.3.3.jar!/:5.3.3]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyQA1qjs6FhtamHRb-qCQv_21_CGtVBuMw2%2BpCNba2jEg%40mail.gmail.com.

Reply via email to