Hi Artur,
I gave it a try this morning, this is exactly what I've done :
- I flushed the db before
- cloned a brand new cas-overlay-template version=*7.1.0-SNAPSHOT* and
springBootVersion=3.3.1 (this morning master branch)
- First I gave it a try and *I can confirm to you that I could not
registered my device with this version*.
- Then I edited
https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/templates/gauth/casGoogleAuthenticatorRegistrationView.html
:
nano
src/main/resources/templates/gauth/casGoogleAuthenticatorRegistrationView.html
changed line 20 from <form method="post" id="fm1" class="fm-v
clearfix" th:action="@{${'/' + activeFlowId} }"> to <form method="post"
id="fm1" class="fm-v clearfix" th:action="@{/login}">
- build and deployed again the .war into tomcat (gradlew then mv as you
did)
- flushed my former cas entry in my device (google authenticator on my
mobile phone)
Then I was able to register my mobile phone again and was able to log in.
After that, and because like gaming, I deleted the
src/main/resources/templates/gauth/casGoogleAuthenticatorRegistrationView.html
and regradlewed again all that stuff nut I did not flushed the db so my
device is still registered : I'm able to log in but cannot register any
other devices ...
I would not submit a PR, because it looks more like a new mfa global
strategy change than a typo ...
Le jeudi 27 juin 2024 à 15:29:56 UTC+2, artur mis a écrit :
> I have changed casGoogleAuthenticatorRegistrationView.html
> /gradlew getResource
> -PresourceName=casGoogleAuthenticatorRegistrationView.html
> Edit
> changes to:
> <form method="post" id="fm1" class="fm-v clearfix" th:action="@{/login}">
> ./gradlew clean build
> ./gradlew run
> logs:
> 2024-06-27 15:04:38,064 DEBUG
> [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl]
> - <Getting FlowDefinition with id 'login'>
> 2024-06-27 15:04:38,064 DEBUG
> [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl]
> - <Getting FlowDefinition with id 'mfa-gauth'>
> 2024-06-27 15:04:38,064 DEBUG
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Resuming in
> org.springframework.webflow.mvc.servlet.MvcExternalContext@43d3c39c>
> 2024-06-27 15:04:38,064 DEBUG [org.springframework.webflow.engine.Flow] -
> <Restoring [FlowVariable@72d57e64 name = 'credential', valueFactory =
> [BeanFactoryVariableValueFactory@54271a0 type =
> GoogleAuthenticatorTokenCredential]]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.mvc.view.AbstractMvcView] - <Processing user
> event 'submit'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.mvc.view.AbstractMvcView] - <No model to bind
> to; done processing user event>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.ViewState] - <Event 'submit' returned
> from view [CasMvcViewFactoryCreator.CasServletMvcView@19fcc87f view =
> org.thymeleaf.spring6.view.ThymeleafView@20a0257c]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.Transition] - <Executing
> [Transition@78d19fd5 on = submit, to = saveRegistration]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.Transition] - <Exiting state
> 'viewRegistration'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.ActionState] - <Entering state
> 'saveRegistration' of flow 'mfa-gauth'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> [EvaluateAction@2858a08b expression = googleSaveAccountRegistrationAction,
> resultExpression = [null]]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> org.apereo.cas.gauth.web.flow.GoogleAuthenticatorSaveRegistrationAction@accba2d>
> 2024-06-27 15:04:38,065 DEBUG
> [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
>
> - <Authorizing token [442461] against account
> [OneTimeTokenAccount(id=1719493478065, validationCode=583590,
> username=casuser, name=serene_faraday,
> registrationDate=2024-06-27T13:04:38.065457164Z, lastUsedDateTime=null,
> source=null)]>
> 2024-06-27 15:04:38,065 WARN
> [org.apereo.cas.gauth.web.flow.GoogleAuthenticatorSaveRegistrationAction] -
> <Unable to authorize given token [442461] for account
> [OneTimeTokenAccount(id=1719493478065, validationCode=583590,
> username=casuser, name=serene_faraday,
> registrationDate=2024-06-27T13:04:38.065457164Z, lastUsedDateTime=null,
> source=null)]>
> 2024-06-27 15:04:38,065 ERROR
> [org.apereo.cas.otp.web.flow.OneTimeTokenAccountSaveRegistrationAction] -
> <Unable to validate account [OneTimeTokenAccount(id=1719493478065,
> validationCode=583590, username=casuser, name=serene_faraday,
> registrationDate=2024-06-27T13:04:38.065457164Z, lastUsedDateTime=null,
> source=null)]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Finished
> executing
> org.apereo.cas.gauth.web.flow.GoogleAuthenticatorSaveRegistrationAction@accba2d;
>
> result = error>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Finished
> executing [EvaluateAction@2858a08b expression =
> googleSaveAccountRegistrationAction, resultExpression = [null]]; result =
> error>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.Transition] - <Executing
> [Transition@21706f35 on = *, to = accountRegistrationCheck]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.Transition] - <Exiting state
> 'saveRegistration'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.ActionState] - <Entering state
> 'accountRegistrationCheck' of flow 'mfa-gauth'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> [EvaluateAction@27d141a0 expression = googleAccountCheckRegistrationAction,
> resultExpression = [null]]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@d6db36a>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Finished
> executing
> org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@d6db36a;
>
> result = register>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Finished
> executing [EvaluateAction@27d141a0 expression =
> googleAccountCheckRegistrationAction, resultExpression = [null]]; result =
> register>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.Transition] - <Executing
> [Transition@27ba422f on = register, to = viewRegistration]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.Transition] - <Exiting state
> 'accountRegistrationCheck'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.engine.ViewState] - <Entering state
> 'viewRegistration' of flow 'mfa-gauth'>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> [SetAction@28627feb name = viewScope.principal, value =
> conversationScope.authentication.principal]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Finished
> executing [SetAction@28627feb name = viewScope.principal, value =
> conversationScope.authentication.principal]; result = success>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> [EvaluateAction@127cb29e expression =
> googleAccountCreateRegistrationAction, resultExpression = [null]]>
> 2024-06-27 15:04:38,065 DEBUG
> [org.springframework.webflow.execution.ActionExecutor] - <Executing
> org.apereo.cas.otp.web.flow.OneTimeTokenAccountCreateRegistrationAction@3208f7f>
> 2024-06-27 15:04:38,071 DEBUG
> [org.apereo.cas.otp.web.flow.OneTimeTokenAccountCreateRegistrationAction] -
> <Registration key URI is
> [otpauth://totp/CASLabel:casuser?secret=****************]>
>
>
> I was thinking that i have wrong sync time becouse :
> 2024-06-27 15:04:38,065 ERROR
> [org.apereo.cas.otp.web.flow.OneTimeTokenAccountSaveRegistrationAction] -
> <Unable to validate account [OneTimeTokenAccount(id=1719493478065,
> validationCode=583590, username=casuser, name=serene_faraday,
> registrationDate=2024-06-27T13:04:38.065457164Z, lastUsedDateTime=null,
> source=null)]>
> LOGS are in CEST but some internal logs are UTC but they look like the
> same after calculation.
>
>
> Finally: I havent recive logs like before with 403 but :
> 024-06-27 15:25:53,702 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] - <Completed 401
> UNAUTHORIZED>
> So i'm still in black ass.
>
> On Thursday, June 27, 2024 at 1:11:29 PM UTC+2 artur mis wrote:
>
>> Could anybody confirm that this issue still appear itself in v7.1.
>> Ii seems i have the same . My logs :
>>
>> [env : simple as posible casuser:Mellon with mf-gauth run by ./gradlew
>> run debug,time synced with ntpd server]
>>
>> 2024-06-27 12:09:08,262 DEBUG
>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping
>> request with URI '/cas/mfa-gauth' to flow with id 'mfa-gauth'>
>> 2024-06-27 12:09:08,262 DEBUG
>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping
>> request with URI '/cas/mfa-gauth' to flow with id 'mfa-gauth'>
>> 2024-06-27 12:09:08,263 DEBUG
>> [org.springframework.boot.actuate.audit.listener.AuditListener] -
>> <AuditEvent [timestamp=2024-06-27T10:09:08.263569200Z,
>> principal=anonymousUser, type=AUTHORIZATION_FAILURE,
>> data={details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1,
>> SessionId=null]}]>
>> 2024-06-27 12:09:08,266 DEBUG
>> [org.springframework.web.servlet.DispatcherServlet] - <"ERROR" dispatch for
>> POST "/cas/error", parameters={masked}>
>> 2024-06-27 12:09:08,266 DEBUG
>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>
>> - <Mapped to
>> org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)>
>> 2024-06-27 12:09:08,267 DEBUG
>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>
>> - <Using 'application/vnd.cas.services+yaml', given [*/*] and supported
>> [application/vnd.cas.services+yaml, application/json, application/*+json,
>> application/xml;charset=UTF-8, text/xml;charset=UTF-8,
>> application/*+xml;charset=UTF-8]>
>> 2024-06-27 12:09:08,268 DEBUG
>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>
>> - <Writing [{timestamp=Thu Jun 27 12:09:08 CEST 2024, status=403,
>> error=Forbidden, message=Access Denied, path=/ (truncated)...]>
>> 2024-06-27 12:09:08,269 DEBUG
>> [org.springframework.web.servlet.DispatcherServlet] - <Exiting from "ERROR"
>> dispatch, status 403>
>> 2024-06-27 12:09:16,765 DEBUG
>> [org.apereo.cas.otp.repository.token.OneTimeTokenRepositoryCleaner] -
>> <Starting to clean previously used authenticator tokens from
>> [BaseOneTimeTokenRepository()] at
>> [2024-06-27T12:09:16.765857631+02:00[Europe/Warsaw]]>
>>
>> On Wednesday, January 10, 2024 at 7:52:52 PM UTC+1 Al Faller wrote:
>>
>>> Did some http level comparison between 6.6 and 7.0 -
>>> 6.6 sends the POST to /cas/login, whereas
>>> 7.0 sends the POST to /cas/mfa-gauth
>>>
>>> So, editing the form action in the html for the device registration, I
>>> set the action=/cas/login on my 7.0 test and it worked!
>>>
>>> Looks like the form was changed in commit 15580dc in October, for "allow
>>> account profile to allow users to register devices with gauth". I don't
>>> pretend to understand how the flow was changed, but maybe this will help
>>> someone with straightening this out. Unfortunately my hack works fine with
>>> a vanilla version of CAS running, but does not work once I turn on all of
>>> the features I need (I get different errors though, which is likely related
>>> to the flow changes).
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jan 10, 2024 at 11:00 AM Al Faller <[email protected]> wrote:
>>>
>>>> HI All -
>>>>
>>>> Turned on debugging for spring and it looks like spring is sending the
>>>> error:
>>>>
>>>> 2024-01-10 15:49:02,787 INFO
>>>> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0]
>>>> expired tickets removed.>
>>>> 2024-01-10 15:49:10,713 DEBUG
>>>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping
>>>> request with URI '/cas/mfa-gauth' to flow with id 'mfa-gauth'>
>>>> 2024-01-10 15:49:10,715 DEBUG
>>>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping
>>>> request with URI '/cas/mfa-gauth' to flow with id 'mfa-gauth'>
>>>> 2024-01-10 15:49:10,716 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Trying to match
>>>> request against DefaultSecurityFilterChain [RequestMatcher=any request,
>>>> Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@b09f0dd,
>>>>
>>>> org.springframework.security.web.access.channel.ChannelProcessingFilter@72011381,
>>>>
>>>> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@782e15e,
>>>>
>>>> org.springframework.security.web.context.SecurityContextHolderFilter@3824c76c,
>>>>
>>>> org.springframework.web.filter.CorsFilter@3baaf6b3,
>>>> org.springframework.security.web.savedrequest.RequestCacheAwareFilter@465fbf9b,
>>>>
>>>> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@32ec28f8,
>>>>
>>>> org.springframework.security.web.authentication.AnonymousAuthenticationFilter@336656e0,
>>>>
>>>> org.springframework.security.web.access.ExceptionTranslationFilter@2410c8fa,
>>>>
>>>> org.springframework.security.web.access.intercept.AuthorizationFilter@19ff9d9a]]
>>>>
>>>> (1/1)>
>>>> 2024-01-10 15:49:10,716 DEBUG
>>>> [org.springframework.security.web.FilterChainProxy] - <Securing POST
>>>> /mfa-gauth>
>>>> 2024-01-10 15:49:10,716 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> DisableEncodeUrlFilter (1/10)>
>>>> 2024-01-10 15:49:10,717 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> ChannelProcessingFilter (2/10)>
>>>> 2024-01-10 15:49:10,717 TRACE
>>>> [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource]
>>>>
>>>> - <Did not match request to
>>>> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter$$Lambda/0x00007f631cae9678@1cc4d16
>>>>
>>>> - [REQUIRES_SECURE_CHANNEL] (1/1)>
>>>> 2024-01-10 15:49:10,718 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> WebAsyncManagerIntegrationFilter (3/10)>
>>>> 2024-01-10 15:49:10,718 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> SecurityContextHolderFilter (4/10)>
>>>> 2024-01-10 15:49:10,718 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking CorsFilter
>>>> (5/10)>
>>>> 2024-01-10 15:49:10,719 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> RequestCacheAwareFilter (6/10)>
>>>> 2024-01-10 15:49:10,719 TRACE
>>>> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] -
>>>> <matchingRequestParameterName is required for getMatchingRequest to lookup
>>>> a value, but not provided>
>>>> 2024-01-10 15:49:10,719 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> SecurityContextHolderAwareRequestFilter (7/10)>
>>>> 2024-01-10 15:49:10,719 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> AnonymousAuthenticationFilter (8/10)>
>>>> 2024-01-10 15:49:10,719 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> ExceptionTranslationFilter (9/10)>
>>>> 2024-01-10 15:49:10,719 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> AuthorizationFilter (10/10)>
>>>> 2024-01-10 15:49:10,720 TRACE
>>>> [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager]
>>>>
>>>> - <Authorizing SecurityContextHolderAwareRequestWrapper[
>>>> FirewalledRequest[
>>>> org.apache.catalina.connector.RequestFacade@4d5329b9]]>
>>>> 2024-01-10 15:49:10,739 TRACE
>>>> [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager]
>>>>
>>>> - <Denying request since did not find matching RequestMatcher>
>>>> 2024-01-10 15:49:13,459 TRACE
>>>> [org.springframework.security.web.context.SupplierDeferredSecurityContext]
>>>> - <Created SecurityContextImpl [Null authentication]>
>>>> 2024-01-10 15:49:13,459 TRACE
>>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>>
>>>> - <No HttpSession currently exists>
>>>> 2024-01-10 15:49:13,459 TRACE
>>>> [org.springframework.security.web.context.SupplierDeferredSecurityContext]
>>>> - <Created SecurityContextImpl [Null authentication]>
>>>> 2024-01-10 15:49:13,459 TRACE
>>>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>>>
>>>> - <Set SecurityContextHolder to AnonymousAuthenticationToken
>>>> [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true,
>>>> Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1,
>>>> SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]>
>>>> 2024-01-10 15:49:13,460 TRACE
>>>> [org.springframework.security.web.access.ExceptionTranslationFilter] -
>>>> <Sending AnonymousAuthenticationToken [Principal=anonymousUser,
>>>> Credentials=[PROTECTED], Authenticated=true,
>>>> Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1,
>>>> SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication
>>>> entry point since access is denied>
>>>> org.springframework.security.access.AccessDeniedException: Access Denied
>>>> at
>>>> org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
>>>> at
>>>> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:75)
>>>> at
>>>> org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:133)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224)
>>>> at
>>>> org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
>>>> at
>>>> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
>>>> at
>>>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
>>>> at
>>>> org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
>>>> at
>>>> org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195)
>>>> at
>>>> org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
>>>> at
>>>> org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
>>>> at
>>>> org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:225)
>>>> at
>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
>>>> at
>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:95)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
>>>> at
>>>> org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:32)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
>>>> at
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
>>>> at
>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
>>>> at
>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673)
>>>> at
>>>> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:735)
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340)
>>>> at
>>>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391)
>>>> at
>>>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
>>>> at
>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896)
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744)
>>>> at
>>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
>>>> at java.base/java.lang.VirtualThread.run(VirtualThread.java:309)
>>>> 2024-01-10 15:49:13,462 TRACE
>>>> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] -
>>>> <Did not save request since it did not match [And [Not [Ant
>>>> [pattern='/**/favicon.*']], Not [MediaTypeRequestMatcher
>>>> [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@52ed42d6,
>>>>
>>>> matchingMediaTypes=[application/json], useEquals=false,
>>>> ignoredMediaTypes=[*/*]]], Not [RequestHeaderRequestMatcher
>>>> [expectedHeaderName=X-Requested-With,
>>>> expectedHeaderValue=XMLHttpRequest]],
>>>> Not [MediaTypeRequestMatcher
>>>> [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@52ed42d6,
>>>>
>>>> matchingMediaTypes=[multipart/form-data], useEquals=false,
>>>> ignoredMediaTypes=[*/*]]], Not [MediaTypeRequestMatcher
>>>> [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@52ed42d6,
>>>>
>>>> matchingMediaTypes=[text/event-stream], useEquals=false,
>>>> ignoredMediaTypes=[*/*]]]]]>
>>>> 2024-01-10 15:49:13,462 DEBUG
>>>> [org.springframework.security.web.authentication.Http403ForbiddenEntryPoint]
>>>>
>>>> - <Pre-authenticated entry point called. Rejecting access>
>>>> 2024-01-10 15:49:13,485 TRACE
>>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>>
>>>> - <2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Trying to match
>>>> request against DefaultSecurityFilterChain [RequestMatcher=any request,
>>>> Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@b09f0dd,
>>>>
>>>> org.springframework.security.web.access.channel.ChannelProcessingFilter@72011381,
>>>>
>>>> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@782e15e,
>>>>
>>>> org.springframework.security.web.context.SecurityContextHolderFilter@3824c76c,
>>>>
>>>> org.springframework.web.filter.CorsFilter@3baaf6b3,
>>>> org.springframework.security.web.savedrequest.RequestCacheAwareFilter@465fbf9b,
>>>>
>>>> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@32ec28f8,
>>>>
>>>> org.springframework.security.web.authentication.AnonymousAuthenticationFilter@336656e0,
>>>>
>>>> org.springframework.security.web.access.ExceptionTranslationFilter@2410c8fa,
>>>>
>>>> org.springframework.security.web.access.intercept.AuthorizationFilter@19ff9d9a]]
>>>>
>>>> (1/1)>
>>>> 2024-01-10 15:49:13,503 DEBUG
>>>> [org.springframework.security.web.FilterChainProxy] - <Securing POST
>>>> /error>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> DisableEncodeUrlFilter (1/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> ChannelProcessingFilter (2/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource]
>>>>
>>>> - <Did not match request to
>>>> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter$$Lambda/0x00007f631cae9678@1cc4d16
>>>>
>>>> - [REQUIRES_SECURE_CHANNEL] (1/1)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> WebAsyncManagerIntegrationFilter (3/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> SecurityContextHolderFilter (4/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking CorsFilter
>>>> (5/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> RequestCacheAwareFilter (6/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] -
>>>> <matchingRequestParameterName is required for getMatchingRequest to lookup
>>>> a value, but not provided>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> SecurityContextHolderAwareRequestFilter (7/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> AnonymousAuthenticationFilter (8/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> ExceptionTranslationFilter (9/10)>
>>>> 2024-01-10 15:49:13,503 TRACE
>>>> [org.springframework.security.web.FilterChainProxy] - <Invoking
>>>> AuthorizationFilter (10/10)>
>>>> 2024-01-10 15:49:13,504 TRACE
>>>> [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager]
>>>>
>>>> - <Authorizing SecurityContextHolderAwareRequestWrapper[
>>>> FirewalledRequest[
>>>> org.apache.catalina.core.ApplicationHttpRequest@16ba441]]>
>>>> 2024-01-10 15:49:13,504 TRACE
>>>> [org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager]
>>>>
>>>> - <Checking authorization on SecurityContextHolderAwareRequestWrapper[
>>>> FirewalledRequest[
>>>> org.apache.catalina.core.ApplicationHttpRequest@16ba441]] using
>>>> org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda/0x00007f631caeb020@73216a8b>
>>>> 2024-01-10 15:49:13,504 DEBUG
>>>> [org.springframework.security.web.FilterChainProxy] - <Secured POST /error>
>>>> 2024-01-10 15:49:13,504 TRACE
>>>> [org.springframework.web.servlet.i18n.CookieLocaleResolver] - <Parsed
>>>> cookie value [en-US] into locale 'en_US'>
>>>> 2024-01-10 15:49:13,504 TRACE
>>>> [org.springframework.web.servlet.DispatcherServlet] - <"ERROR" dispatch
>>>> for
>>>> POST "/cas/error", parameters={masked}, headers={masked} in
>>>> DispatcherServlet 'dispatcherServlet'>
>>>> 2024-01-10 15:49:13,505 TRACE
>>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>>
>>>> - <2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]>
>>>> 2024-01-10 15:49:13,505 TRACE
>>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>>
>>>> - <Mapped to
>>>> org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)>
>>>> 2024-01-10 15:49:13,513 TRACE
>>>> [org.springframework.web.method.HandlerMethod] - <Arguments:
>>>> [org.springframework.web.servlet.resource.ResourceUrlEncodingFilter$ResourceUrlEncodingRequestWrapper@3b6c3379]>
>>>> 2024-01-10 15:49:13,531 DEBUG
>>>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>>>
>>>> - <Using 'application/vnd.cas.services+yaml', given [*/*] and supported
>>>> [application/vnd.cas.services+yaml, application/json, application/*+json,
>>>> application/xml;charset=UTF-8, text/xml;charset=UTF-8,
>>>> application/*+xml;charset=UTF-8]>
>>>> 2024-01-10 15:49:13,531 TRACE
>>>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>>>
>>>> - <Writing [{timestamp=Wed Jan 10 15:49:13 UTC 2024, status=403,
>>>> error=Forbidden, message=Access Denied, path=/cas/mfa-gauth}]>
>>>> 2024-01-10 15:49:13,574 TRACE
>>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter]
>>>>
>>>> - <Applying default cacheSeconds=-1>
>>>> 2024-01-10 15:49:13,574 TRACE
>>>> [org.springframework.web.servlet.DispatcherServlet] - <No view rendering,
>>>> null ModelAndView returned.>
>>>> 2024-01-10 15:49:13,576 DEBUG
>>>> [org.springframework.web.servlet.DispatcherServlet] - <Exiting from
>>>> "ERROR"
>>>> dispatch, status 403, headers={masked}>
>>>> 2024-01-10 15:49:13,576 TRACE
>>>> [org.springframework.security.web.context.SupplierDeferredSecurityContext]
>>>> - <Created SecurityContextImpl [Null authentication]>
>>>> 2024-01-10 15:49:13,576 TRACE
>>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>>
>>>> - <No HttpSession currently exists>
>>>> 2024-01-10 15:49:13,576 TRACE
>>>> [org.springframework.security.web.context.SupplierDeferredSecurityContext]
>>>> - <Created SecurityContextImpl [Null authentication]>
>>>> 2024-01-10 15:49:13,576 TRACE
>>>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>>>
>>>> - <Set SecurityContextHolder to AnonymousAuthenticationToken
>>>> [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true,
>>>> Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1,
>>>> SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]>
>>>>
>>>> On Wednesday, January 10, 2024 at 7:57:27 AM UTC-5 Frédéric Dussurget
>>>> wrote:
>>>>
>>>>> Hi Al,
>>>>> I've got the same issue, could not fixed it. F12 console in your
>>>>> browser might throw a 401 error ... (for info my db backend is redis)
>>>>> we have a topic here :
>>>>> https://groups.google.com/a/apereo.org/g/cas-user/c/XKFgFS__U9M
>>>>> regards,
>>>>>
>>>>>
>>>>> Le mercredi 10 janvier 2024 à 05:26:03 UTC+1, Al Faller a écrit :
>>>>>
>>>>>> Hi -
>>>>>>
>>>>>> Trying to get mfa-gauth working with 7.0. Unfortunately when I'm
>>>>>> attempting to "Confirm account registration" (save my new device), I
>>>>>> receive a 403 error back from CAS at /cas/mfa-gauth and an error on the
>>>>>> screen. I can reproduce this with a clean copy of the overlay. My
>>>>>> steps:
>>>>>>
>>>>>> - add 'implementation "org.apereo.cas:cas-server-support-gauth"' to
>>>>>> the build.gradle
>>>>>> - ./gradlew build
>>>>>> - add cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth to
>>>>>> /etc/cas/config/cas.properties
>>>>>> - java -jar build/libs/cas.war --server.ssl.enabled=false
>>>>>> --server.port=8080
>>>>>>
>>>>>> From chrome developer tools, looks like the following was returned:
>>>>>> --- !<java.util.LinkedHashMap>
>>>>>> timestamp: "2024-01-09T22:48:27.384+00:00"
>>>>>> status: 403
>>>>>> error: "Forbidden"
>>>>>> message: "Access Denied"
>>>>>> path: "/cas/mfa-gauth"
>>>>>>
>>>>>> added debug logging - nothing useful shows up.
>>>>>>
>>>>>> Attached is the screenshot:
>>>>>> [image: Screenshot from 2024-01-09 17-45-14.png]
>>>>>>
>>>>>> Any ideas why this might be breaking? I have tried 7.0 and master
>>>>>> with no luck.
>>>>>>
>>>>>> Thanks in advance,
>>>>>>
>>>>>> Al
>>>>>>
>>>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf456f76-48ac-4f9e-9ac4-365960b81b8fn%40apereo.org.
