Hi Daniel, thanks for your response. I spent a lot of time looking at those. And although it's likely that we will ultimately need to write our own policy or authentication handler, I was wanting to play with the existing ones to see if we could do anything interesting with them.
But I was having difficulty getting them actually enabled with the configuration file lines as described in the documentation. Running at TRACE level in the authentication code, I was always seeing the "any" policy getting run, and the "notPrevented" if it was enabled, but I never saw any of the others getting executed, even if enabled. And the "any" policy seems to run even if you explicitly set "cas.authn.policy.any.enabled=false", which just seems wrong to me. At the end of the day it may not matter as I don't think the existing things will do what we want, but I haven't seen anything in the forum at all about this stuff except one other unanswered question, so I was wondering if there was anyone out there using it successfully. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu On Wed, Jan 16, 2019 at 5:53 PM Daniel Ellentuck <d...@columbia.edu> wrote: > Hi David, > > Take a look at: the authentication policy configuration in > cas-server-core-authentication: > org.apereo.cas.config.CasCoreAuthenticationPolicyCon > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > figuration > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > and the actual authentication policies in > cas-server-core-authentication-api: > org.apereo.cas.authentication.policy > <https://github.com/apereo/cas/tree/master/core/cas-server-core-authentication-api/src/main/java/org/apereo/cas/authentication/policy> > and ensure you're clear on what the policies do. If you have a truly custom > case, you may have to implement your own authentication policy and add it > via the AuthenticationEventExecutionPlanConfigurer. If not, could you > describe what behavior you'd like to see and what you've done to effect it? > > (I'm referring to CAS v.5.3.7.) > .... > > Dan > > > On Wed, Jan 16, 2019 at 3:23 PM <cur...@newschool.edu> wrote: > >> >> Has anyone figured out how to make Authentication Policies, as documented >> here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuring-Authentication-Components.html#authentication-policy >> >> >> and here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#authentication-policy >> >> >> actually work? I've been messing around with it for an entire day now, >> and it seems to me that: >> >> 1. You cannot DISABLE the "any" policy; you can only enable/disable >> the "tryAll" option >> 2. You CAN enable the "notPrevented" policy, but you have no way to >> control what it considers "Prevented" >> 3. You CANNOT enable the "all" or "allHandlers" policies >> >> We're running CAS 5.2.7, but I'll take answers for any version, at this >> point. >> >> Thanks, >> --Dave >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > On Wed, Jan 16, 2019 at 5:53 PM Daniel Ellentuck <d...@columbia.edu> wrote: > Hi David, > > Take a look at: the authentication policy configuration in > cas-server-core-authentication: > org.apereo.cas.config.CasCoreAuthenticationPolicyCon > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > figuration > <https://github.com/apereo/cas/blob/master/core/cas-server-core-authentication/src/main/java/org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.java> > and the actual authentication policies in > cas-server-core-authentication-api: > org.apereo.cas.authentication.policy > <https://github.com/apereo/cas/tree/master/core/cas-server-core-authentication-api/src/main/java/org/apereo/cas/authentication/policy> > and ensure you're clear on what the policies do. If you have a truly custom > case, you may have to implement your own authentication policy and add it > via the AuthenticationEventExecutionPlanConfigurer. If not, could you > describe what behavior you'd like to see and what you've done to effect it? > > (I'm referring to CAS v.5.3.7.) > .... > > Dan > > > On Wed, Jan 16, 2019 at 3:23 PM <cur...@newschool.edu> wrote: > >> >> Has anyone figured out how to make Authentication Policies, as documented >> here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuring-Authentication-Components.html#authentication-policy >> >> >> and here: >> >> >> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#authentication-policy >> >> >> actually work? I've been messing around with it for an entire day now, >> and it seems to me that: >> >> 1. You cannot DISABLE the "any" policy; you can only enable/disable >> the "tryAll" option >> 2. You CAN enable the "notPrevented" policy, but you have no way to >> control what it considers "Prevented" >> 3. You CANNOT enable the "all" or "allHandlers" policies >> >> We're running CAS 5.2.7, but I'll take answers for any version, at this >> point. >> >> Thanks, >> --Dave >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMf04A1veEH3V45qd7FiYiuaQubjRiQAXOvXHsLNpEM9w%40mail.gmail.com.
