I finally managed to get Netbeans and the various dependencies configured on my mac so I could set breakpoints on the method giving me fits ..
Seems in the overlay you implement this : public final class ChainingCredentialsToPrincipalResolver implements CredentialsToPrincipalResolver looking at the breakpoint the chain is created [0] and it's chain is size [0] .. Some of these later code releases in 3.x seem to blend a lot of concepts from 4.x .. and as soon as the MFA overlay is ready for 4.x I'll move .. but meanwhile it's sort of a guessing game as to which of new documentation to follow vs the old. After some frustration with that exercise I just loaded *all* of the MFA overlays into Netbeans and built them to see which ones had problems .. and concluded that the -M6 overlay which builds 3.5.2.1 had none of the problems I see in the 3.6 series. Since it seems that much of this is due to adapting the code to the 4.x branch is there an ETA on the overlay for that? .. or some alpha builds you want testers for? Michael Holstein Cleveland State University ________________________________ From: Misagh Moayyed <[email protected]> Sent: Tuesday, July 28, 2015 6:31 AM To: [email protected] Subject: RE: [cas-user] CAS-MFA (rc6) and Radius Sounds like a bug. Please open up an issue and we’ll look into this. From: Michael O Holstein [mailto:[email protected]] Sent: Monday, July 27, 2015 10:42 AM To: [email protected] Subject: Re:[cas-user] CAS-MFA (rc6) and Radius Sorry to repost .. but even after picking through this over the weekend, I still can't find why the principal doesn't seem to get transferred between (RadiusAuthenticationHandler) back to (AuthenticationManagerImpl) This is a vanilla install pulled from cas-mfa-rc6 .. Specifically, how this : 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler successfully authenticated [username: 1234567] Goes to this : 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null The only place CredentialsToPrincipalResolver exists is here inside deployerConfigContext.xml : <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> and also of interest .. the first stage (LDAP) is called with this : org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver but the second stage (RADIUS) is called from here : org.jasig.cas.authentication.AuthenticationManagerImpl Removing the authn_method requiring 'radius-two-factor' .. and everything (auth, release) works as it should. Logging turned to 11 .. here is the relevent bits .. the username is obfuscated below, but is of all-numeric form as shown. 2015-07-27 13:01:26,822 DEBUG [net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] - Authentication request succeeded for host: [debauh1.csuohio.edu] and username [1234567] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler] - Leaving method [authenticate] with return value [true]. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] - Entering method [toString with arguments [] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] - Leaving method [toString] with return value [[username: 1234567]]. 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler successfully authenticated [username: 1234567] 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null 2015-07-27 13:01:26,822 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - CredentialsToPrincipalResolver found but no principal returned. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.AuthenticationManagerImpl] - Leaving method [authenticate] with return value [null]. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException] - Entering method [getCode with arguments [] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException] - Leaving method [getCode] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException] - Entering method [toString with arguments [] 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException] - Entering method [getCode with arguments [] 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException] - Leaving method [getCode] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException] - Leaving method [toString] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,823 ERROR [net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAction] - error.authentication.credentials.bad at org.jasig.cas.authentication.hand TIA, Michael Holstein Cleveland State University ________________________________ From: Michael O Holstein <[email protected]<mailto:[email protected]>> Sent: Friday, July 24, 2015 4:20 PM To: [email protected]<mailto:[email protected]> Subject: [cas-user] CAS-MFA (rc6) and Radius Any ideas as to what I've done wrong here? .. this worked fine in RC2 .. but now I get a successful LDAP auth and a successful radiusOTP auth, but somewhere in the mix the principal gets lost. CredentialsToPrincipalResolver gets invoked (and works fine on primary auth) .. how does it get lost during MFA? 2015-07-24 16:11:38,085 DEBUG [net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] - Authentication request succeeded for host: [myradius] and username [bob123] 2015-07-24 16:11:38,085 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler successfully authenticated [username: bob123] 2015-07-24 16:11:38,087 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null 2015-07-24 16:11:38,087 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - CredentialsToPrincipalResolver found but no principal returned. 2015-07-24 16:11:38,102 ERROR [net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAction] - error.authentication.credentials.bad TIA, Michael Holstein Cleveland State University -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
