I ended up creating an issue to track this. Thanks for tracking this down. Please watch the repo to keep apprised of further activity.
At the time we started putting together this codebase, 4.x did not exist. Since then, much of the work we did and lessoned we learned transitioned over to CAS in one way or another, so it's true that a lot of the concepts you see in the MFA extension bear a resemblance to what CAS offers today. This is an ongoing effort. We don't have a 4.x branch yet, and not sure we might anytime soon. It may just be that we gradually start building MFA support into CAS itself. Whether this happens organically or via a funded development effort, I cannot say. All depends on bandwidth and opportune timing. If you are however interested to support the effort, by all means do reach out. From: Michael O Holstein [mailto:[email protected]] Sent: Thursday, July 30, 2015 6:35 AM To: [email protected] Subject: Re: [cas-user] CAS-MFA (rc6) and Radius I finally managed to get Netbeans and the various dependencies configured on my mac so I could set breakpoints on the method giving me fits .. Seems in the overlay you implement this : public final class ChainingCredentialsToPrincipalResolver implements CredentialsToPrincipalResolver looking at the breakpoint the chain is created [0] and it's chain is size [0] .. Some of these later code releases in 3.x seem to blend a lot of concepts from 4.x .. and as soon as the MFA overlay is ready for 4.x I'll move .. but meanwhile it's sort of a guessing game as to which of new documentation to follow vs the old. After some frustration with that exercise I just loaded *all* of the MFA overlays into Netbeans and built them to see which ones had problems .. and concluded that the -M6 overlay which builds 3.5.2.1 had none of the problems I see in the 3.6 series. Since it seems that much of this is due to adapting the code to the 4.x branch is there an ETA on the overlay for that? .. or some alpha builds you want testers for? Michael Holstein Cleveland State University _____ From: Misagh Moayyed <[email protected] <mailto:[email protected]> > Sent: Tuesday, July 28, 2015 6:31 AM To: [email protected] <mailto:[email protected]> Subject: RE: [cas-user] CAS-MFA (rc6) and Radius Sounds like a bug. Please open up an issue and we'll look into this. From: Michael O Holstein [mailto:[email protected]] Sent: Monday, July 27, 2015 10:42 AM To: [email protected] <mailto:[email protected]> Subject: Re:[cas-user] CAS-MFA (rc6) and Radius Sorry to repost .. but even after picking through this over the weekend, I still can't find why the principal doesn't seem to get transferred between (RadiusAuthenticationHandler) back to (AuthenticationManagerImpl) This is a vanilla install pulled from cas-mfa-rc6 .. Specifically, how this : 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent icationHandler successfully authenticated [username: 1234567] Goes to this : 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null The only place CredentialsToPrincipalResolver exists is here inside deployerConfigContext.xml : <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsT oPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> and also of interest .. the first stage (LDAP) is called with this : org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinci palResolver but the second stage (RADIUS) is called from here : org.jasig.cas.authentication.AuthenticationManagerImpl Removing the authn_method requiring 'radius-two-factor' .. and everything (auth, release) works as it should. Logging turned to 11 .. here is the relevent bits .. the username is obfuscated below, but is of all-numeric form as shown. 2015-07-27 13:01:26,822 DEBUG [net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] - Authentication request succeeded for host: [debauh1.csuohio.edu] and username [1234567] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthen ticationHandler] - Leaving method [authenticate] with return value [true]. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] - Entering method [toString with arguments [] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] - Leaving method [toString] with return value [[username: 1234567]]. 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent icationHandler successfully authenticated [username: 1234567] 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null 2015-07-27 13:01:26,822 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - CredentialsToPrincipalResolver found but no principal returned. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.AuthenticationManagerImpl] - Leaving method [authenticate] with return value [null]. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Entering method [getCode with arguments [] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Leaving method [getCode] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Entering method [toString with arguments [] 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Entering method [getCode with arguments [] 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Leaving method [getCode] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Leaving method [toString] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,823 ERROR [net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAc tion] - error.authentication.credentials.bad at org.jasig.cas.authentication.hand TIA, Michael Holstein Cleveland State University _____ From: Michael O Holstein < <mailto:[email protected]> [email protected]> Sent: Friday, July 24, 2015 4:20 PM To: <mailto:[email protected]> [email protected] Subject: [cas-user] CAS-MFA (rc6) and Radius Any ideas as to what I've done wrong here? .. this worked fine in RC2 .. but now I get a successful LDAP auth and a successful radiusOTP auth, but somewhere in the mix the principal gets lost. CredentialsToPrincipalResolver gets invoked (and works fine on primary auth) .. how does it get lost during MFA? 2015-07-24 16:11:38,085 DEBUG [net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] - Authentication request succeeded for host: [myradius] and username [bob123] 2015-07-24 16:11:38,085 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent icationHandler successfully authenticated [username: bob123] 2015-07-24 16:11:38,087 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null 2015-07-24 16:11:38,087 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - CredentialsToPrincipalResolver found but no principal returned. 2015-07-24 16:11:38,102 ERROR [net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAc tion] - error.authentication.credentials.bad TIA, Michael Holstein Cleveland State University -- You are currently subscribed to <mailto:[email protected]> [email protected] as: <mailto:[email protected]> [email protected] To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to <mailto:[email protected]> [email protected] as: <mailto:[email protected]> [email protected] To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
