Thanks, Ray. If I set log level to warn I will lose the errors. Basically I
was referring to below code which doesn't need to be log.error.
protected AuthenticationBuilder authenticateInternal(final
AuthenticationTransaction transaction) throws AuthenticationException {
final Collection<Credential> credentials = transaction.getCredentials();
final AuthenticationBuilder builder = new
DefaultAuthenticationBuilder(NullPrincipal.getInstance());
credentials.stream().forEach(cred -> builder.addCredential(new
BasicCredentialMetaData(cred)));
final Set<AuthenticationHandler> handlerSet =
getAuthenticationHandlersForThisTransaction(transaction);
Assert.notNull(handlerSet, "Resolved authentication handlers for this
transaction cannot be null");
if (handlerSet.isEmpty()) {
LOGGER.warn("Resolved authentication handlers for this transaction are
empty");
}
final boolean success = credentials
.stream()
.anyMatch(credential -> {
final boolean isSatisfied = handlerSet
.stream()
.filter(handler -> handler.supports(credential))
.anyMatch(handler -> {
try {
final PrincipalResolver resolver =
getPrincipalResolverLinkedToHandlerIfAny(handler, transaction);
authenticateAndResolvePrincipal(builder,
credential, resolver, handler);
final Pair<Boolean, Set<Throwable>> failures =
evaluateAuthenticationPolicies(builder.build());
return failures.getKey();
} catch (final Exception e) {
handleAuthenticationException(e,
handler.getName(), builder);
}
return false;
});
if (!isSatisfied) {
LOGGER.error("Authentication has failed. Credentials may be
incorrect or CAS cannot "
+ "find authentication handler that supports [{}]
of type [{}]. Examine the configuration to "
+ "ensure a method of authentication is defined and
analyze CAS logs at DEBUG level to trace "
+ "the authentication event.", credential,
credential.getClass().getSimpleName());
}
return isSatisfied;
});
if (!success) {
evaluateFinalAuthentication(builder, transaction);
}
return builder;
}
Any one has ideas about #1 above? When I looked at the code
CasCoreAuthenticationHandlersConfiguration
I see that HttpBasedServiceCredentialsAuthenticationHandler is only created
here and its not a conditional bean either to override it?
@Bean
public AuthenticationHandler proxyAuthenticationHandler() {
return new HttpBasedServiceCredentialsAuthenticationHandler(null,
servicesManager,
proxyPrincipalFactory(), Integer.MIN_VALUE,
supportsTrustStoreSslSocketFactoryHttpClient);
}
Thanks
On Tuesday, January 8, 2019 at 8:53:47 AM UTC-8, rbon wrote:
>
> Rao,
>
> For the last item, you can filter log messages. e.g.
> <!-- DEBUG Created seed map='{username=[loginname]}' for
> uid='loginname' -->
> <AsyncLogger
> name="org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl"
> level="warn" includeLocation="true">
> <RegexFilter regex="Created seed map=.*" onMismatch="DENY" />
> </AsyncLogger>
>
> See https://logging.apache.org/log4j/log4j-2.2/manual/filters.html
>
> Ray
>
> On Mon, 2019-01-07 at 17:06 -0800, Mr Rao wrote:
>
> Hi,
>
> When I debug PolicyBasedAuthenticationManager.authenticateInternal I did
> noticed three authentication handlers.
> 1) My Custom AuthenticationHandler
> 2 ) ClientAuthenticationHandler
> 3 ) HttpBasedServiceCredentialsAuthenticationHandler
>
> I'm only using my customer handler and ClientAuthenticationHandler. I do
> not see #3. How do I turn off
> HttpBasedServiceCredentialsAuthenticationHandler completely? I'm
> worried that hackers can send HttpClientCredential to get access to the
> system.
>
>
> Also I did notice that PolicyBasedAuthenticationManager has log.error
> when we enter bad password which I also want suppress this logging.
>
> Thanks
> Rao
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c0d7685-89b7-442f-8c37-1dab0f59fd99%40apereo.org.
