Hello,
after configuring delegated authentication in CAS 7.0.6, we are getting
incorrect error page* "Delegated Authentication Failure"* instead of
*"Application
Not Authorized to Use CAS"* when supplying wrong "service" to the CAS login
page.
As this service check and error handling happens in CAS servlet filter,
even the Groovy script set in
"cas.authn.pac4j.core.groovy-redirection-strategy.location" isn't called
(it would say "no" to delegated authentication in this case anyway). Yet,
we can also see this misleading line in the CAS log:
2025-10-15 18:22:09,372 DEBUG ...
[org.apereo.cas.web.flow.error.DefaultDelegatedClientAuthenticationFailureEvaluator]
Delegation request has failed. Details are [{code=500}]
It seems like the problem is caused by
*delegatedAuthenticationErrorViewResolver* being always executed before
*defaultMappedExceptionErrorViewResolver*, while *both* are mapped to the
*UnauthorizedServiceException* thrown from the filter*.* Moreover, the
*DefaultDelegatedClientAuthenticationFailureEvaluator
*is being called unconditionally
<https://github.com/apereo/cas/blob/v7.3.0/core/cas-server-core-web-api/src/main/java/org/apereo/cas/services/web/support/MappedExceptionErrorViewResolver.java#L45>,
even if the error view gets found based on the aforementioned exception =>
therefore the log line appears above.
Is it possible that this is fixed in a newer CAS version? From a quick peek
into the master branch code, the core logic of the resolvers still looks
the same...
Best regards
Petr
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/be7dbc9b-699a-4080-94c0-294ebb89cbe0n%40apereo.org.
