Thanks, Ray. If I set log level to warn I will lose the errors. Basically I
was referring to below code which doesn't need to be log.error.
protected AuthenticationBuilder authenticateInternal(final
AuthenticationTransaction transaction) throws AuthenticationException {
final Collection<Credential> credentials = transaction.getCredentials();
final AuthenticationBuilder builder = new
DefaultAuthenticationBuilder(NullPrincipal.getInstance());
credentials.stream().forEach(cred -> builder.addCredential(new
BasicCredentialMetaData(cred)));
final Set<AuthenticationHandler> handlerSet =
getAuthenticationHandlersForThisTransaction(transaction);
Assert.notNull(handlerSet, "Resolved authentication handlers for this
transaction cannot be null");
if (handlerSet.isEmpty()) {
LOGGER.warn("Resolved authentication handlers for this transaction are
empty");
}
final boolean success = credentials
.stream()
.anyMatch(credential -> {
final boolean isSatisfied = handlerSet
.stream()
.filter(handler -> handler.supports(credential))
.anyMatch(handler -> {
try {
final PrincipalResolver resolver =
getPrincipalResolverLinkedToHandlerIfAny(handler, transaction);
authenticateAndResolvePrincipal(builder,
credential, resolver, handler);
final Pair<Boolean, Set<Throwable>> failures =
evaluateAuthenticationPolicies(builder.build());
return failures.getKey();
} catch (final Exception e) {
handleAuthenticationException(e,
handler.getName(), builder);
}
return false;
});
if (!isSatisfied) {
LOGGER.error("Authentication has failed. Credentials may be
incorrect or CAS cannot "
+ "find authentication handler that supports [{}]
of type [{}]. Examine the configuration to "
+ "ensure a method of authentication is defined and
analyze CAS logs at DEBUG level to trace "
+ "the authentication event.", credential,
credential.getClass().getSimpleName());
}
return isSatisfied;
});
if (!success) {
evaluateFinalAuthentication(builder, transaction);
}
return builder;
}
Any one has ideas about #1 above? When I looked at the code
CasCoreAuthenticationHandlersConfiguration
I see that HttpBasedServiceCredentialsAuthenticationHandler is only created
here and its not a conditional bean either to override it?
@Bean
public AuthenticationHandler proxyAuthenticationHandler() {
return new HttpBasedServiceCredentialsAuthenticationHandler(null,
servicesManager,
proxyPrincipalFactory(), Integer.MIN_VALUE,
supportsTrustStoreSslSocketFactoryHttpClient);
}
Thanks
On Tuesday, January 8, 2019 at 8:53:47 AM UTC-8, rbon wrote:
>
> Rao,
>
> For the last item, you can filter log messages. e.g.
> <!-- DEBUG Created seed map='{username=[loginname]}' for
> uid='loginname' -->
> <AsyncLogger
> name="org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl"
> level="warn" includeLocation="true">
> <RegexFilter regex="Created seed map=.*" onMismatch="DENY" />
> </AsyncLogger>
>
> See https://logging.apache.org/log4j/log4j-2.2/manual/filters.html
>
> Ray
>
> On Mon, 2019-01-07 at 17:06 -0800, Mr Rao wrote:
>
> Hi,
>
> When I debug PolicyBasedAuthenticationManager.authenticateInternal I did
> noticed three authentication handlers.
> 1) My Custom AuthenticationHandler
> 2 ) ClientAuthenticationHandler
> 3 ) HttpBasedServiceCredentialsAuthenticationHandler
>
> I'm only using my customer handler and ClientAuthenticationHandler. I do
> not see #3. How do I turn off
> HttpBasedServiceCredentialsAuthenticationHandler completely? I'm
> worried that hackers can send HttpClientCredential to get access to the
> system.
>
>
> Also I did notice that PolicyBasedAuthenticationManager has log.error
> when we enter bad password which I also want suppress this logging.
>
> Thanks
> Rao
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca <javascript:>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c0d7685-89b7-442f-8c37-1dab0f59fd99%40apereo.org.
