Hi Kostas,
thanks for sharing your findings, it does seem like a bug. For me, even
just *removing* the *"@ConditionalOnBean..."* line worked as well (done in
a custom config class though).
It looks like that the aforementioned line is redundant, because the bean
referenced by the annotation is used conditionally via Spring's *ObjectProvider
*anyway - by calling *"authenticationThrottlingExecutionPlan.ifAvailable(plan
-> { ..."* on the provider instance.
Regards
Petr
On Monday 22 January 2024 at 15:09:22 UTC+1 Kostas Kalevras wrote:
> Just an update. Replacing
> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L129C5-L129C23>
>
> @ConditionalOnBean with @DependsOn in order to make sure that the REST
> protocol is initialized *after* Authentication Throttling seems to fix
> things. So I guess there actually is a race condition with REST being
> initialzed before throttling.
>
> Not sure if there's any other way to initialize beans with a specific
> order without code changes.
>
> Στις Πέμπτη 18 Ιανουαρίου 2024 στις 4:34:32 π.μ. UTC+2, ο χρήστης Kostas
> Kalevras έγραψε:
>
>> Hello all
>>
>> Using CAS 6.6.15 in a Docker setup with LDAP user repository.
>>
>> CAS/SAML/OIDC authentication works with no problem. Throttling CAS auth
>> requests also works without a problem.
>>
>> The relevant throtlling configuration in cas.properties is as follows:
>>
>> # Failure Throttling
>> cas.authn.throttle.failure.threshold=1
>> cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
>> cas.authn.throttle.failure.range-seconds=30
>> cas.authn.throttle.core.username-parameter=username
>>
>> We have enabled REST Authentication which works without a problem:
>>
>> /# curl -sk https://sso-server:8443/cas/v1/users -d
>> 'username=test&password=test'|jq .authentication.credentials
>> [
>> {
>> "@class":
>> "org.apereo.cas.authentication.metadata.BasicCredentialMetaData",
>> "id": "test",
>> "credentialClass":
>> "org.apereo.cas.authentication.credential.UsernamePasswordCredential"
>> }
>> ]
>>
>> REST and throttling implementation in build.gradle:
>>
>> implementation "org.apereo.cas:cas-server-support-throttle"
>> implementation "org.apereo.cas:cas-server-support-rest"
>>
>> Yet no matter how we try, throttling REST auth requests does not work.
>> Looking at the relevant code
>> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L127>,
>>
>> I see that throttling is implemented. Nevertheless, the debug line
>> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L143>
>>
>> about "Activating authentication throttling for REST endpoints..." does not
>> seem to be called.
>>
>> My fear is for a race condition where REST is initialized before
>> throttling and the check
>> <https://github.com/apereo/cas/blob/5e1035dde95094a951c9ea87993cdea29ab6c85c/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L129>
>>
>> for the relevant bean fails.
>>
>> Any help would be appreciated.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/efa24103-8b02-40fa-aa6b-f7ef1b6f4460n%40apereo.org.
