[cas-user] Cas Allow Any Required Handler for Service Ticket Validation

Tue, 24 Dec 2019 02:01:43 -0800 

I have a service definition as follows:

    ...
      "requiredHandlers": [
        "java.util.HashSet",
        [
          "FooAuthHandler",
          "BarAuthHandler"
        ]
      ],
    ...


There is a policy for /login flows where we can enable:

     cas.authn.policy.any.tryAll=false


     cas.authn.policy.any.enabled=true


so than if I successfully authenticated in one of the above it works. But 
if I call /ticket endpoint directly (via enabling CAS REST) than I get an 
exception. (Exception is too generic -> The application you attempted to 
authenticate to is not authorized to use CAS... Instead I will show where 
it thrown )

When I look at line from CAS Source 
<https://github.com/apereo/cas/blob/master/core/cas-server-core-validation-api/src/main/java/org/apereo/cas/validation/RegisteredServiceRequiredHandlersServiceTicketValidationAuthorizer.java#L41>

    val matchesAll = assertedHandlers.containsAll(registeredService.
getRequiredHandlers());
                    if (!matchesAll) {
                        throw new UnauthorizedServiceException(
UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY);
                    }


It tries to check every handler that registered, in the TGT's successful 
handlers which I don't want. 

    assertedHandlers -> FooAuthHandler
    registeredService.getRequiredHandlers -> FooAuthHandler + BarAuthHandler


exception is thrown.

I check the source code and could not find a configuration to make it the 
same behavior with /login flow which I describe above (for any match). Am I 
missing something, how can I achieve this via /ticket endpoint?

CAS version: 6.0

CAS config:

    cas.authn.policy.any.tryAll=false
    cas.authn.policy.any.enabled=true

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd6e13fd-3d6c-4804-8d87-13adf5f17c88%40apereo.org.

Reply via email to