Hi,
Anyone has ideas on disabling HttpBasedServiceCredentialsAuthenticationHandler
? Or is it safe to leave it?
Thanks,
Rao
On Tuesday, January 8, 2019 at 9:17:56 AM UTC-8, Mr Rao wrote:
>
> Thanks, Ray. If I set log level to warn I will lose the errors. Basically
> I was referring to below code which doesn't need to be log.error.
>
>
>
> protected AuthenticationBuilder authenticateInternal(final
> AuthenticationTransaction transaction) throws AuthenticationException {
> final Collection<Credential> credentials = transaction.getCredentials();
> final AuthenticationBuilder builder = new
> DefaultAuthenticationBuilder(NullPrincipal.getInstance());
> credentials.stream().forEach(cred -> builder.addCredential(new
> BasicCredentialMetaData(cred)));
>
> final Set<AuthenticationHandler> handlerSet =
> getAuthenticationHandlersForThisTransaction(transaction);
> Assert.notNull(handlerSet, "Resolved authentication handlers for this
> transaction cannot be null");
> if (handlerSet.isEmpty()) {
> LOGGER.warn("Resolved authentication handlers for this transaction
> are empty");
> }
>
> final boolean success = credentials
> .stream()
> .anyMatch(credential -> {
> final boolean isSatisfied = handlerSet
> .stream()
> .filter(handler -> handler.supports(credential))
> .anyMatch(handler -> {
> try {
> final PrincipalResolver resolver =
> getPrincipalResolverLinkedToHandlerIfAny(handler, transaction);
> authenticateAndResolvePrincipal(builder,
> credential, resolver, handler);
> final Pair<Boolean, Set<Throwable>> failures
> = evaluateAuthenticationPolicies(builder.build());
> return failures.getKey();
> } catch (final Exception e) {
> handleAuthenticationException(e,
> handler.getName(), builder);
> }
> return false;
> });
>
> if (!isSatisfied) {
> LOGGER.error("Authentication has failed. Credentials may
> be incorrect or CAS cannot "
> + "find authentication handler that supports [{}]
> of type [{}]. Examine the configuration to "
> + "ensure a method of authentication is defined
> and analyze CAS logs at DEBUG level to trace "
> + "the authentication event.", credential,
> credential.getClass().getSimpleName());
> }
> return isSatisfied;
> });
>
> if (!success) {
> evaluateFinalAuthentication(builder, transaction);
> }
>
> return builder;
> }
>
>
>
> Any one has ideas about #1 above? When I looked at the code
> CasCoreAuthenticationHandlersConfiguration
> I see that HttpBasedServiceCredentialsAuthenticationHandler is only
> created here and its not a conditional bean either to override it?
>
>
> @Bean
> public AuthenticationHandler proxyAuthenticationHandler() {
> return new HttpBasedServiceCredentialsAuthenticationHandler(null,
> servicesManager,
> proxyPrincipalFactory(), Integer.MIN_VALUE,
> supportsTrustStoreSslSocketFactoryHttpClient);
> }
>
>
>
>
>
>
>
>
> Thanks
>
>
>
>
>
>
> On Tuesday, January 8, 2019 at 8:53:47 AM UTC-8, rbon wrote:
>>
>> Rao,
>>
>> For the last item, you can filter log messages. e.g.
>> <!-- DEBUG Created seed map='{username=[loginname]}' for
>> uid='loginname' -->
>> <AsyncLogger
>> name="org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl"
>> level="warn" includeLocation="true">
>> <RegexFilter regex="Created seed map=.*" onMismatch="DENY" />
>> </AsyncLogger>
>>
>> See https://logging.apache.org/log4j/log4j-2.2/manual/filters.html
>>
>> Ray
>>
>> On Mon, 2019-01-07 at 17:06 -0800, Mr Rao wrote:
>>
>> Hi,
>>
>> When I debug PolicyBasedAuthenticationManager.authenticateInternal I
>> did noticed three authentication handlers.
>> 1) My Custom AuthenticationHandler
>> 2 ) ClientAuthenticationHandler
>> 3 ) HttpBasedServiceCredentialsAuthenticationHandler
>>
>> I'm only using my customer handler and ClientAuthenticationHandler. I do
>> not see #3. How do I turn off
>> HttpBasedServiceCredentialsAuthenticationHandler completely? I'm
>> worried that hackers can send HttpClientCredential to get access to the
>> system.
>>
>>
>> Also I did notice that PolicyBasedAuthenticationManager has log.error
>> when we enter bad password which I also want suppress this logging.
>>
>> Thanks
>> Rao
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | [email protected]
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6762c91c-6528-4c73-b988-6494b74c99e5%40apereo.org.
