Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Dmitriy Kopylenko]

The main “bug tracker” for CAS project is an open pull request ;-)

May I suggest you first try 5.3.0-RC3-SNAPSHOT…

D.


From: Brian Davidson <awk.br...@gmail.com>
Reply: cas-user@apereo.org <cas-user@apereo.org>
Date: February 22, 2018 at 3:03:46 PM
To: cas-user@apereo.org <cas-user@apereo.org>
Subject:  Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy  

Do we need to open an issue in a bug tracker?  If so, where?

Any suggestions where to start poking in the code to try to debug this some 
more?  As best we can tell it’s throwing an exception in Spring web flow (which 
unfortunately we haven’t used so we’ve got a learning curve there).  And it 
looks like there’s a CAS plugin for web flow, so I’m hoping that might be a 
good place to put some debugging code.

Thanks,

Brian

On Feb 10, 2018, at 12:48 PM, Man H <info.ings...@gmail.com> wrote:

Indeed!!

El sábado, 10 de febrero de 2018, Dmitriy Kopylenko <dkopyle...@unicon.net> 
escribió:
Thanks for confirming. Sounds like a bug to me.

D.




On Sat, Feb 10, 2018 at 12:01 PM -0500, "Brian Davidson" <awk.br...@gmail.com> 
wrote:

I have tried that.  Duo works when I disable the bypass facility.  When I 
enable it, if bypass script returns false, single factor works and I don’t get 
a 500 error. If the groovy script returns true, I get the 500 error. 

So, the Duo integration is working.  The bypass groovy script definitely is 
getting called, and it definitely should return a boolean, not a string.

2018-02-09 15:04:55,638 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - 

Seems like Spring web flow with the duo flow is not happy with something when 
the bypass script is in place, but it’s fine when bypass isn’t in place.

Thanks!

Brian

On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko <dkopyle...@unicon.net> wrote:

Let me suggest to get the Groovy script out of equation completely. Switch this 
groovy bypass off, and try to perform entire duo 2 factor authentication 
transaction. If it completes successfully and then you again enable groovy 
bypass and then after it you get the failures that you are seeing, then the 
problem indeed is somewhere in that bypass facility.

Cheers,
D.




On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson" <awk.br...@gmail.com> 
wrote:

Switching the function to return a String instead of a boolean, I get:

2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - 
java.lang.ClassCastException: Result [mfa-duo is of type class java.lang.String 
when we were expecting class java.lang.Boolean

…

2018-02-10 11:25:06,952 ERROR 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 

java.lang.NullPointerException: null
at 
org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
 ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]

…





On Feb 10, 2018, at 10:14 AM, Man H <info.ings...@gmail.com> wrote:

Try returning string "mfa-duo" or null

El sábado, 10 de febrero de 2018, Brian Davidson <awk.br...@gmail.com> escribió:
I changed it from info to warn:

2018-02-10 08:54:07,061 WARN 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


On Feb 10, 2018, at 8:43 AM, Man H <info.ings...@gmail.com> wrote:

Could you try this

def boolean run(final Object... args){
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]
    
    logger.info("Evaluating principal attributes ${principal.attributes}")

return true
}


El sábado, 10 de febrero de 2018, Brian Davidson <awk.br...@gmail.com> escribió:
Removed that dependency and still git the same 500 error and same stack trace.

On Feb 10, 2018, at 7:20 AM, Man H <info.ings...@gmail.com> wrote:

Why you hace this


      
            javax.servlet
            servlet-api
            2.5
            jar
        


El sábado, 10 de febrero de 2018, Brian Davidson <awk.br...@gmail.com> escribió:
Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.

Yes, this is CAS version 5.2.2.

CAS w/ Duo works with no bypass groovy script in place.  CAS  works with bypass 
groovy script that returns false.  We’re just getting the exception when the 
groovy script returns true.

Thanks again for all the help!




External
A CAS deployment may be deployed to any number of external servlet containers. 
The container MUST support the servlet specification v3.1.x at a minimum.

On Feb 10, 2018, at 6:37 AM, Man H <info.ings...@gmail.com> wrote:

Assuming you are on 5.2.2

El sábado, 10 de febrero de 2018, Brian Davidson <awk.br...@gmail.com> escribió:
I meant to add, our pom.xml h

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Do we need to open an issue in a bug tracker?  If so, where?

Any suggestions where to start poking in the code to try to debug this some 
more?  As best we can tell it’s throwing an exception in Spring web flow (which 
unfortunately we haven’t used so we’ve got a learning curve there).  And it 
looks like there’s a CAS plugin for web flow, so I’m hoping that might be a 
good place to put some debugging code.

Thanks,

Brian

> On Feb 10, 2018, at 12:48 PM, Man H  wrote:
> 
> Indeed!!
> 
> El sábado, 10 de febrero de 2018, Dmitriy Kopylenko  > escribió:
> Thanks for confirming. Sounds like a bug to me.
> 
> D.
> 
> 
> 
> 
> On Sat, Feb 10, 2018 at 12:01 PM -0500, "Brian Davidson"  > wrote:
> 
> I have tried that.  Duo works when I disable the bypass facility.  When I 
> enable it, if bypass script returns false, single factor works and I don’t 
> get a 500 error. If the groovy script returns true, I get the 500 error. 
> 
> So, the Duo integration is working.  The bypass groovy script definitely is 
> getting called, and it definitely should return a boolean, not a string.
> 
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] -  handle [org.springframework.webflow.execution.FlowExecutionException: 
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root 
> cause [java.io .NotSerializableException: 
> org.springframework.core.io 
> .UrlResource]>
> 
> Seems like Spring web flow with the duo flow is not happy with something when 
> the bypass script is in place, but it’s fine when bypass isn’t in place.
> 
> Thanks!
> 
> Brian
> 
>> On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko > > wrote:
>> 
>> Let me suggest to get the Groovy script out of equation completely. Switch 
>> this groovy bypass off, and try to perform entire duo 2 factor 
>> authentication transaction. If it completes successfully and then you again 
>> enable groovy bypass and then after it you get the failures that you are 
>> seeing, then the problem indeed is somewhere in that bypass facility.
>> 
>> Cheers,
>> D.
>> 
>> 
>> 
>> 
>> On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson" 
>> > wrote:
>> 
>> Switching the function to return a String instead of a boolean, I get:
>> 
>> 2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - > [mfa-duo is of type class java.lang.String when we were expecting class 
>> java.lang.Boolean>
>> java.lang.ClassCastException: Result [mfa-duo is of type class 
>> java.lang.String when we were expecting class java.lang.Boolean
>> 
>> …
>> 
>> 2018-02-10 11:25:06,952 ERROR 
>> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
>>  - 
>> java.lang.NullPointerException: null
>>  at 
>> org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
>>  ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]
>> 
>> …
>> 
>> 
>> 
>> 
>> 
>>> On Feb 10, 2018, at 10:14 AM, Man H >> > wrote:
>>> 
>>> Try returning string "mfa-duo" or null
>>> 
>>> El sábado, 10 de febrero de 2018, Brian Davidson >> > escribió:
>>> I changed it from info to warn:
>>> 
>>> 2018-02-10 08:54:07,061 WARN 
>>> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
>>>  - >> cn:Brian Davidson, ctCalDefaultNoteReminder:0:0, ctCalDefaultReminder:0:10, 
>>> ctCalDefaultTaskReminder:0:0, ctCalDisplayPrefs:4:480:1080:1:30:190:2, 
>>> ctCalLanguageId:0, ctCalNotifMechanism:1, 
>>> ctCalOperatingPrefs:0:255:0:0:0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440,
>>>  ctCalPasswordRequired:1, ctCalPublishedType:0, ctCalRefreshPrefs:1:60, 
>>> ctCalSMSTimeRange:0:0, ctCalSysopCanWritePassword:0, ctCalTimezone:0, 
>>> ctCalXItemId:10101:02238, eduPersonAffiliation:[member, staff], gecos:Brian 
>>> Davidson, gidNumber:5137, givenName:Brian, gmuBannerGUID:REDACTED, 
>>> gmuemployeestatus:C, gmugnumber:REDACTED, gmuMLPwdChanged:20170127190453Z, 
>>> gmurup:true, gmusecurityquiz:1487691778, homeDirectory:REDACTED, 
>>> iplanet-am-modifiable-by:cn=Top-level Admin Role,o=gmu.edu 
>>> , l:opted-in-201103021755, loginShell:/bin/bash, 
>>> mail:REDACTED, mailAllowedServiceAccess:-imap,pop,http,smtp:*, 
>>> mailAlternateAddress:REDACTED, mailDeliveryOption:mailbox, 
>>> mailHost:gmuedu.onmicrosoft.com , 
>>> mailQuota:1048576000, mailRoutingAddress:REDACTED, nsmsgDisallowAccess:imap 
>>> pop 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Here’s the error that’s returned if the “CAS” integration is used when 
configuring on duo.com  website.  I have opened an issue with 
Duo.

2018-02-13 10:53:37,995 DEBUG 
[org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService] - 



> On Feb 13, 2018, at 7:34 AM, Brian Davidson  wrote:
> 
> Man,
> 
> Just providing clarification on this other issue that I hadn’t gotten back to 
> you on.  I think the issue in this specific email is an issue with duo.com 
> , while the other issue in this thread is an issue with CAS.
> 
> In order for CAS to be able to use Duo you must obtain an integration key, 
> shared secret and api host from Duo.  You do this by logging in to duo.com 
>  as an administrator and selecting “Add new application”.  
> You are then presented with a list of 137 types of applications you can 
> integrate with:
> 
> 1Password
> Duo Admin API
> Duo Auth API
> CAS
> Cisco RADIUS VPN
> etc.
> 
> 
> If you select the CAS integration, you’ll receive en error (not authorized, I 
> believe) when trying to use the Duo preauth endpoint, which is what the CAS 
> Duo adapter uses:
> 
> https://github.com/apereo/cas/blob/468d834242d8c027d4f2333bb7b4d1c99b645630/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/BaseDuoSecurityAuthenticationService.java#L170
>  
> 
> 
> 
> When setting up the application at duo.com  if you instead 
> choose Duo Auth API, the preauth endpoint works correctly.  There are no user 
> configurable permissions that I’ve been able to find on Duo’s site, so this 
> is a backend thing that they will need to change.  I will be opening a ticket 
> with them to address this.
> 
> Here’s the Duo documentation for the preauth endpoint:
> 
> https://duo.com/docs/authapi#/preauth 
> 
> Thanks again for all of the help!
> 
> Brian
> 
>> On Feb 10, 2018, at 8:15 AM, Man H  wrote:
>> 
>> Could you be more specific
>> 
>> We did find that CAS was unable to check to see if the user exists in Duo if 
>> we used the “CAS” integration in Duo.  But it works if we set up the 
>> integration as “Auth API”.
>> 
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/30619062-0F41-483C-977D-B64032D9F726%40gmail.com.

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Man,

Just providing clarification on this other issue that I hadn’t gotten back to 
you on.  I think the issue in this specific email is an issue with duo.com 
, while the other issue in this thread is an issue with CAS.

In order for CAS to be able to use Duo you must obtain an integration key, 
shared secret and api host from Duo.  You do this by logging in to duo.com 
 as an administrator and selecting “Add new application”.  You 
are then presented with a list of 137 types of applications you can integrate 
with:

1Password
Duo Admin API
Duo Auth API
CAS
Cisco RADIUS VPN
etc.


If you select the CAS integration, you’ll receive en error (not authorized, I 
believe) when trying to use the Duo preauth endpoint, which is what the CAS Duo 
adapter uses:

https://github.com/apereo/cas/blob/468d834242d8c027d4f2333bb7b4d1c99b645630/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/BaseDuoSecurityAuthenticationService.java#L170


When setting up the application at duo.com  if you instead 
choose Duo Auth API, the preauth endpoint works correctly.  There are no user 
configurable permissions that I’ve been able to find on Duo’s site, so this is 
a backend thing that they will need to change.  I will be opening a ticket with 
them to address this.

Here’s the Duo documentation for the preauth endpoint:

https://duo.com/docs/authapi#/preauth 

Thanks again for all of the help!

Brian

> On Feb 10, 2018, at 8:15 AM, Man H  wrote:
> 
> Could you be more specific
> 
> We did find that CAS was unable to check to see if the user exists in Duo if 
> we used the “CAS” integration in Duo.  But it works if we set up the 
> integration as “Auth API”.
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/94EC9972-D8CA-471A-94BD-E42BAE814C48%40gmail.com.

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Indeed!!

El sábado, 10 de febrero de 2018, Dmitriy Kopylenko 
escribió:

> Thanks for confirming. Sounds like a bug to me.
>
> D.
>
>
>
>
> On Sat, Feb 10, 2018 at 12:01 PM -0500, "Brian Davidson" <
> awk.br...@gmail.com> wrote:
>
> I have tried that.  Duo works when I disable the bypass facility.  When I
>> enable it, if bypass script returns false, single factor works and I don’t
>> get a 500 error. If the groovy script returns true, I get the 500 error.
>>
>> So, the Duo integration is working.  The bypass groovy script definitely
>> is getting called, and it definitely should return a boolean, not a string.
>>
>> 2018-02-09 15:04:55,638 DEBUG 
>> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
>> - > [org.springframework.webflow.execution.FlowExecutionException:
>> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root
>> cause [java.io.NotSerializableException: org.springframework.core.io.
>> UrlResource]>
>>
>> Seems like Spring web flow with the duo flow is not happy with something
>> when the bypass script is in place, but it’s fine when bypass isn’t in
>> place.
>>
>> Thanks!
>>
>> Brian
>>
>> On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko 
>> wrote:
>>
>> Let me suggest to get the Groovy script out of equation completely.
>> Switch this groovy bypass off, and try to perform entire duo 2 factor
>> authentication transaction. If it completes successfully and then you again
>> enable groovy bypass and then after it you get the failures that you are
>> seeing, then the problem indeed is somewhere in that bypass facility.
>>
>> Cheers,
>> D.
>>
>>
>>
>>
>> On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson" <
>> awk.br...@gmail.com> wrote:
>>
>> Switching the function to return a String instead of a boolean, I get:
>>>
>>> 2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] -
>>> >> class java.lang.Boolean>
>>> java.lang.ClassCastException: Result [mfa-duo is of type class
>>> java.lang.String when we were expecting class java.lang.Boolean
>>>
>>> …
>>>
>>> 2018-02-10 11:25:06,952 ERROR [org.apereo.cas.authentication.
>>> GroovyMultifactorAuthenticationProviderBypass] - 
>>> java.lang.NullPointerException: null
>>> at org.apereo.cas.authentication.GroovyMultifactorAuthenticatio
>>> nProviderBypass.shouldMultifactorAuthenticationProviderExecute(
>>> GroovyMultifactorAuthenticationProviderBypass.java:40)
>>> ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]
>>>
>>> …
>>>
>>>
>>>
>>>
>>>
>>> On Feb 10, 2018, at 10:14 AM, Man H  wrote:
>>>
>>> Try returning string "mfa-duo" or null
>>>
>>> El sábado, 10 de febrero de 2018, Brian Davidson 
>>> escribió:
>>>
 I changed it from info to warn:

 2018-02-10 08:54:07,061 WARN [org.apereo.cas.authentication
 .GroovyMultifactorAuthenticationProviderBypass] - >>> principal attributes [businessCategory:[Employee, Staff], cn:Brian
 Davidson, ctCalDefaultNoteReminder:0:0, ctCalDefaultReminder:0:10,
 ctCalDefaultTaskReminder:0:0, ctCalDisplayPrefs:4:480:1080:1:30:190:2,
 ctCalLanguageId:0, ctCalNotifMechanism:1, ctCalOperatingPrefs:0:255:0:0:
 0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0
 :1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440,
 ctCalPasswordRequired:1, ctCalPublishedType:0, ctCalRefreshPrefs:1:60,
 ctCalSMSTimeRange:0:0, ctCalSysopCanWritePassword:0, ctCalTimezone:0,
 ctCalXItemId:10101:02238, eduPersonAffiliation:[member, staff], gecos:Brian
 Davidson, gidNumber:5137, givenName:Brian, gmuBannerGUID:REDACTED,
 gmuemployeestatus:C, gmugnumber:REDACTED, gmuMLPwdChanged:20170127190453Z,
 gmurup:true, gmusecurityquiz:1487691778, homeDirectory:REDACTED,
 iplanet-am-modifiable-by:cn=Top-level Admin Role,o=gmu.edu,
 l:opted-in-201103021755, loginShell:/bin/bash, mail:REDACTED,
 mailAllowedServiceAccess:-imap,pop,http,smtp:*,
 mailAlternateAddress:REDACTED, mailDeliveryOption:mailbox, mailHost:
 gmuedu.onmicrosoft.com, mailQuota:1048576000,
 mailRoutingAddress:REDACTED, nsmsgDisallowAccess:imap pop http smtp,
 nswmExtendedUserPrefs:[meTrashFolder=Trash, meSentFolder=Sent,
 meDraftFolder=Drafts, meInitialized=true], objectClass:[posixAccount,
 sunUCPreferences, mailrecipient, iplanetPreferences,
 inetLocalMailRecipient, iplanet-am-managed-person, inetOrgPerson,
 inetAdmin, ctCalUser, inetMailUser, iplanet-am-user-service, gmuPerson,
 shadowAccount, userPresenceProfile, inetUser, top, person,
 organizationalPerson, ipuser, eduPerson, account], 
 ou=people,o=gmu.edu,o=pab,
 sn:Davidson, uid:REDACTED, uidNumber:888, userPassword:REDACTED]>

 On Feb 10, 2018, at 8:43 AM, Man H  wrote:

 Could you try this

 def boolean run(final Object... args){
 def authentication = args[0]
 def principal = args[1]
   

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Dmitriy Kopylenko]

Thanks for confirming. Sounds like a bug to me. 
D. 









On Sat, Feb 10, 2018 at 12:01 PM -0500, "Brian Davidson"  
wrote:










I have tried that.  Duo works when I disable the bypass facility.  When I 
enable it, if bypass script returns false, single factor works and I don’t get 
a 500 error. If the groovy script returns true, I get the 500 error. 
So, the Duo integration is working.  The bypass groovy script definitely is 
getting called, and it definitely should return a boolean, not a string.
2018-02-09 15:04:55,638 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - 

Seems like Spring web flow with the duo flow is not happy with something when 
the bypass script is in place, but it’s fine when bypass isn’t in place.
Thanks!
Brian
On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko  wrote:







Let me suggest to get the Groovy script out of equation 
completely. Switch this groovy bypass off, and try to perform entire duo 2 
factor authentication transaction. If it completes successfully and then you 
again enable groovy bypass and then after it you get the failures that you are 
seeing, then the problem indeed is somewhere in that bypass facility. 
Cheers,D. 









On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson"  
wrote:










Switching the function to return a String instead of a boolean, I get:
2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - java.lang.ClassCastException: Result [mfa-duo is of type 
class java.lang.String when we were expecting class java.lang.Boolean
…
2018-02-10 11:25:06,952 ERROR 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 
java.lang.NullPointerException: nullat 
org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
 ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]
…




On Feb 10, 2018, at 10:14 AM, Man H  wrote:
Try returning string "mfa-duo" or null

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
I changed it from info to warn:
2018-02-10 08:54:07,061 WARN 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


On Feb 10, 2018, at 8:43 AM, Man H  wrote:
Could you try this
def boolean run(final Object... args){
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]
    
    logger.info("Evaluating principal attributes ${principal.attributes}")

return true}

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
Removed that dependency and still git the same 500 error and same stack trace.

On Feb 10, 2018, at 7:20 AM, Man H  wrote:
Why you hace this

                  javax.servlet            
servlet-api            2.5          
  jar        

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
Yes, this is CAS version 5.2.2.
CAS w/ Duo works with no bypass groovy script in place.  CAS  works with bypass 
groovy script that returns false.  We’re just getting the exception when the 
groovy script returns true.
Thanks again for all the help!



External

A CAS deployment may be deployed to any number of external servlet containers. 
The container MUST support the servlet specification v3.1.x at a minimum.On Feb 
10, 2018, at 6:37 AM, Man H  wrote:
Assuming you are on 5.2.2

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
I meant to add, our pom.xml has the following dependencies (in case we’re 
missing something):
                    org.apereo.cas 
           cas-server-webapp-${app.server}            
${cas.version}            war            
runtime                            
org.apereo.cas            
cas-server-support-ldap            
${cas.version}                      
      org.apereo.cas            
cas-server-support-saml            
${cas.version}                      
      org.apereo.cas            
cas-server-support-hazelcast-ticket-registry           
 ${cas.version}                     
       org.apereo.cas            
cas-server-support-duo            
${cas.version}                      
      org.apereo.cas            
cas-server-support-json-service-registry            
${cas.version}                      
      org.javassist            
javassist            3.17.1-GA      
     

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

I have tried that.  Duo works when I disable the bypass facility.  When I 
enable it, if bypass script returns false, single factor works and I don’t get 
a 500 error. If the groovy script returns true, I get the 500 error. 

So, the Duo integration is working.  The bypass groovy script definitely is 
getting called, and it definitely should return a boolean, not a string.

2018-02-09 15:04:55,638 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - 

Seems like Spring web flow with the duo flow is not happy with something when 
the bypass script is in place, but it’s fine when bypass isn’t in place.

Thanks!

Brian

> On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko  wrote:
> 
> Let me suggest to get the Groovy script out of equation completely. Switch 
> this groovy bypass off, and try to perform entire duo 2 factor authentication 
> transaction. If it completes successfully and then you again enable groovy 
> bypass and then after it you get the failures that you are seeing, then the 
> problem indeed is somewhere in that bypass facility.
> 
> Cheers,
> D.
> 
> 
> 
> 
> On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson"  > wrote:
> 
> Switching the function to return a String instead of a boolean, I get:
> 
> 2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] -  [mfa-duo is of type class java.lang.String when we were expecting class 
> java.lang.Boolean>
> java.lang.ClassCastException: Result [mfa-duo is of type class 
> java.lang.String when we were expecting class java.lang.Boolean
> 
> …
> 
> 2018-02-10 11:25:06,952 ERROR 
> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] 
> - 
> java.lang.NullPointerException: null
>   at 
> org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
>  ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]
> 
> …
> 
> 
> 
> 
> 
>> On Feb 10, 2018, at 10:14 AM, Man H > > wrote:
>> 
>> Try returning string "mfa-duo" or null
>> 
>> El sábado, 10 de febrero de 2018, Brian Davidson > > escribió:
>> I changed it from info to warn:
>> 
>> 2018-02-10 08:54:07,061 WARN 
>> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
>>  - > cn:Brian Davidson, ctCalDefaultNoteReminder:0:0, ctCalDefaultReminder:0:10, 
>> ctCalDefaultTaskReminder:0:0, ctCalDisplayPrefs:4:480:1080:1:30:190:2, 
>> ctCalLanguageId:0, ctCalNotifMechanism:1, 
>> ctCalOperatingPrefs:0:255:0:0:0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440,
>>  ctCalPasswordRequired:1, ctCalPublishedType:0, ctCalRefreshPrefs:1:60, 
>> ctCalSMSTimeRange:0:0, ctCalSysopCanWritePassword:0, ctCalTimezone:0, 
>> ctCalXItemId:10101:02238, eduPersonAffiliation:[member, staff], gecos:Brian 
>> Davidson, gidNumber:5137, givenName:Brian, gmuBannerGUID:REDACTED, 
>> gmuemployeestatus:C, gmugnumber:REDACTED, gmuMLPwdChanged:20170127190453Z, 
>> gmurup:true, gmusecurityquiz:1487691778, homeDirectory:REDACTED, 
>> iplanet-am-modifiable-by:cn=Top-level Admin Role,o=gmu.edu 
>> , l:opted-in-201103021755, loginShell:/bin/bash, 
>> mail:REDACTED, mailAllowedServiceAccess:-imap,pop,http,smtp:*, 
>> mailAlternateAddress:REDACTED, mailDeliveryOption:mailbox, 
>> mailHost:gmuedu.onmicrosoft.com , 
>> mailQuota:1048576000, mailRoutingAddress:REDACTED, nsmsgDisallowAccess:imap 
>> pop http smtp, nswmExtendedUserPrefs:[meTrashFolder=Trash, 
>> meSentFolder=Sent, meDraftFolder=Drafts, meInitialized=true], 
>> objectClass:[posixAccount, sunUCPreferences, mailrecipient, 
>> iplanetPreferences, inetLocalMailRecipient, iplanet-am-managed-person, 
>> inetOrgPerson, inetAdmin, ctCalUser, inetMailUser, iplanet-am-user-service, 
>> gmuPerson, shadowAccount, userPresenceProfile, inetUser, top, person, 
>> organizationalPerson, ipuser, eduPerson, account], ou=people,o=gmu.edu 
>> ,o=pab, sn:Davidson, uid:REDACTED, uidNumber:888, 
>> userPassword:REDACTED]>
>> 
>>> On Feb 10, 2018, at 8:43 AM, Man H >> > wrote:
>>> 
>>> Could you try this
>>> 
>>> def boolean run(final Object... args){
>>> def authentication = args[0]
>>> def principal = args[1]
>>> def service = args[2]
>>> def provider = args[3]
>>> def logger = args[4]
>>> def httpRequest = args[5]
>>> 
>>> logger.info("Evaluating principal attributes ${principal.attributes}")
>>> 
>>> return true
>>> }
>>> 
>>> 
>>> El sábado, 10 de febrero de 2018, Brian Davidson >> > escribió:
>>> Removed that dependency and still git the same 500 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Dmitriy Kopylenko]

Let me suggest to get the Groovy script out of equation 
completely. Switch this groovy bypass off, and try to perform entire duo 2 
factor authentication transaction. If it completes successfully and then you 
again enable groovy bypass and then after it you get the failures that you are 
seeing, then the problem indeed is somewhere in that bypass facility. 
Cheers,D. 









On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson"  
wrote:










Switching the function to return a String instead of a boolean, I get:
2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - java.lang.ClassCastException: Result [mfa-duo is of type 
class java.lang.String when we were expecting class java.lang.Boolean
…
2018-02-10 11:25:06,952 ERROR 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 
java.lang.NullPointerException: nullat 
org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
 ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]
…




On Feb 10, 2018, at 10:14 AM, Man H  wrote:
Try returning string "mfa-duo" or null

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
I changed it from info to warn:
2018-02-10 08:54:07,061 WARN 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


On Feb 10, 2018, at 8:43 AM, Man H  wrote:
Could you try this
def boolean run(final Object... args){
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]
    
    logger.info("Evaluating principal attributes ${principal.attributes}")

return true}

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
Removed that dependency and still git the same 500 error and same stack trace.

On Feb 10, 2018, at 7:20 AM, Man H  wrote:
Why you hace this

                  javax.servlet            
servlet-api            2.5          
  jar        

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
Yes, this is CAS version 5.2.2.
CAS w/ Duo works with no bypass groovy script in place.  CAS  works with bypass 
groovy script that returns false.  We’re just getting the exception when the 
groovy script returns true.
Thanks again for all the help!



External

A CAS deployment may be deployed to any number of external servlet containers. 
The container MUST support the servlet specification v3.1.x at a minimum.On Feb 
10, 2018, at 6:37 AM, Man H  wrote:
Assuming you are on 5.2.2

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
I meant to add, our pom.xml has the following dependencies (in case we’re 
missing something):
                    org.apereo.cas 
           cas-server-webapp-${app.server}            
${cas.version}            war            
runtime                            
org.apereo.cas            
cas-server-support-ldap            
${cas.version}                      
      org.apereo.cas            
cas-server-support-saml            
${cas.version}                      
      org.apereo.cas            
cas-server-support-hazelcast-ticket-registry           
 ${cas.version}                     
       org.apereo.cas            
cas-server-support-duo            
${cas.version}                      
      org.apereo.cas            
cas-server-support-json-service-registry            
${cas.version}                      
      org.javassist            
javassist            3.17.1-GA      
                      javax.servlet 
           servlet-api            
2.5            jar                
            org.apereo.cas            
cas-server-core-webflow            
${cas.version}                      
      org.apereo.cas            
cas-server-core-web            
${cas.version}            jar        
                    org.apereo.cas  
          cas-server-core-configuration            
${cas.version}            jar        
            org.apereo.cas  
     cas-server-core-authentication     
${cas.version}       

On Feb 9, 2018, at 5:19 PM, Man H  wrote:

add 
        
             org.apereo.cas
             cas-server-core-authentication
             ${cas.version}
        

with: 

cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy

you should get

2018-02-09 19:10:39,145 DEBUG 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Switching the function to return a String instead of a boolean, I get:

2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - 
java.lang.ClassCastException: Result [mfa-duo is of type class java.lang.String 
when we were expecting class java.lang.Boolean

…

2018-02-10 11:25:06,952 ERROR 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 

java.lang.NullPointerException: null
at 
org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
 ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]

…





> On Feb 10, 2018, at 10:14 AM, Man H  wrote:
> 
> Try returning string "mfa-duo" or null
> 
> El sábado, 10 de febrero de 2018, Brian Davidson  > escribió:
> I changed it from info to warn:
> 
> 2018-02-10 08:54:07,061 WARN 
> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] 
> -  cn:Brian Davidson, ctCalDefaultNoteReminder:0:0, ctCalDefaultReminder:0:10, 
> ctCalDefaultTaskReminder:0:0, ctCalDisplayPrefs:4:480:1080:1:30:190:2, 
> ctCalLanguageId:0, ctCalNotifMechanism:1, 
> ctCalOperatingPrefs:0:255:0:0:0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440,
>  ctCalPasswordRequired:1, ctCalPublishedType:0, ctCalRefreshPrefs:1:60, 
> ctCalSMSTimeRange:0:0, ctCalSysopCanWritePassword:0, ctCalTimezone:0, 
> ctCalXItemId:10101:02238, eduPersonAffiliation:[member, staff], gecos:Brian 
> Davidson, gidNumber:5137, givenName:Brian, gmuBannerGUID:REDACTED, 
> gmuemployeestatus:C, gmugnumber:REDACTED, gmuMLPwdChanged:20170127190453Z, 
> gmurup:true, gmusecurityquiz:1487691778, homeDirectory:REDACTED, 
> iplanet-am-modifiable-by:cn=Top-level Admin Role,o=gmu.edu , 
> l:opted-in-201103021755, loginShell:/bin/bash, mail:REDACTED, 
> mailAllowedServiceAccess:-imap,pop,http,smtp:*, 
> mailAlternateAddress:REDACTED, mailDeliveryOption:mailbox, 
> mailHost:gmuedu.onmicrosoft.com , 
> mailQuota:1048576000, mailRoutingAddress:REDACTED, nsmsgDisallowAccess:imap 
> pop http smtp, nswmExtendedUserPrefs:[meTrashFolder=Trash, meSentFolder=Sent, 
> meDraftFolder=Drafts, meInitialized=true], objectClass:[posixAccount, 
> sunUCPreferences, mailrecipient, iplanetPreferences, inetLocalMailRecipient, 
> iplanet-am-managed-person, inetOrgPerson, inetAdmin, ctCalUser, inetMailUser, 
> iplanet-am-user-service, gmuPerson, shadowAccount, userPresenceProfile, 
> inetUser, top, person, organizationalPerson, ipuser, eduPerson, account], 
> ou=people,o=gmu.edu ,o=pab, sn:Davidson, uid:REDACTED, 
> uidNumber:888, userPassword:REDACTED]>
> 
>> On Feb 10, 2018, at 8:43 AM, Man H > > wrote:
>> 
>> Could you try this
>> 
>> def boolean run(final Object... args){
>> def authentication = args[0]
>> def principal = args[1]
>> def service = args[2]
>> def provider = args[3]
>> def logger = args[4]
>> def httpRequest = args[5]
>> 
>> logger.info("Evaluating principal attributes ${principal.attributes}")
>> 
>> return true
>> }
>> 
>> 
>> El sábado, 10 de febrero de 2018, Brian Davidson > > escribió:
>> Removed that dependency and still git the same 500 error and same stack 
>> trace.
>> 
>>> On Feb 10, 2018, at 7:20 AM, Man H >> > wrote:
>>> 
>>> Why you hace this
>>> 
>>> 
>>>   
>>> javax.servlet
>>> servlet-api
>>> 2.5
>>> jar
>>> 
>>> 
>>> 
>>> El sábado, 10 de febrero de 2018, Brian Davidson >> > escribió:
>>> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>>> 
>>> Yes, this is CAS version 5.2.2.
>>> 
>>> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with 
>>> bypass groovy script that returns false.  We’re just getting the exception 
>>> when the groovy script returns true.
>>> 
>>> Thanks again for all the help!
>>> 
>>> 
>>> 
>>> 
 External
 A CAS deployment may be deployed to any number of external servlet 
 containers. The container MUST support the servlet specification v3.1.x at 
 a minimum.
 
 On Feb 10, 2018, at 6:37 AM, Man H > wrote:
 
 Assuming you are on 5.2.2
 
 El sábado, 10 de febrero de 2018, Brian Davidson > escribió:
 I meant to add, our pom.xml has the following dependencies (in case we’re 
 missing something):
 
 
 
 org.apereo.cas
 cas-server-webapp-${app.server}

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Try returning string "mfa-duo" or null

El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> I changed it from info to warn:
>
> 2018-02-10 08:54:07,061 WARN [org.apereo.cas.authentication.
> GroovyMultifactorAuthenticationProviderBypass] -  attributes [businessCategory:[Employee, Staff], cn:Brian Davidson,
> ctCalDefaultNoteReminder:0:0, ctCalDefaultReminder:0:10,
> ctCalDefaultTaskReminder:0:0, ctCalDisplayPrefs:4:480:1080:1:30:190:2,
> ctCalLanguageId:0, ctCalNotifMechanism:1, ctCalOperatingPrefs:0:255:0:0:
> 0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:
> 0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440,
> ctCalPasswordRequired:1, ctCalPublishedType:0, ctCalRefreshPrefs:1:60,
> ctCalSMSTimeRange:0:0, ctCalSysopCanWritePassword:0, ctCalTimezone:0,
> ctCalXItemId:10101:02238, eduPersonAffiliation:[member, staff], gecos:Brian
> Davidson, gidNumber:5137, givenName:Brian, gmuBannerGUID:REDACTED,
> gmuemployeestatus:C, gmugnumber:REDACTED, gmuMLPwdChanged:20170127190453Z,
> gmurup:true, gmusecurityquiz:1487691778, homeDirectory:REDACTED,
> iplanet-am-modifiable-by:cn=Top-level Admin Role,o=gmu.edu,
> l:opted-in-201103021755, loginShell:/bin/bash, mail:REDACTED,
> mailAllowedServiceAccess:-imap,pop,http,smtp:*,
> mailAlternateAddress:REDACTED, mailDeliveryOption:mailbox, mailHost:
> gmuedu.onmicrosoft.com, mailQuota:1048576000,
> mailRoutingAddress:REDACTED, nsmsgDisallowAccess:imap pop http smtp,
> nswmExtendedUserPrefs:[meTrashFolder=Trash, meSentFolder=Sent,
> meDraftFolder=Drafts, meInitialized=true], objectClass:[posixAccount,
> sunUCPreferences, mailrecipient, iplanetPreferences,
> inetLocalMailRecipient, iplanet-am-managed-person, inetOrgPerson,
> inetAdmin, ctCalUser, inetMailUser, iplanet-am-user-service, gmuPerson,
> shadowAccount, userPresenceProfile, inetUser, top, person,
> organizationalPerson, ipuser, eduPerson, account], ou=people,o=gmu.edu,o=pab,
> sn:Davidson, uid:REDACTED, uidNumber:888, userPassword:REDACTED]>
>
> On Feb 10, 2018, at 8:43 AM, Man H  wrote:
>
> Could you try this
>
> def boolean run(final Object... args){
> def authentication = args[0]
> def principal = args[1]
> def service = args[2]
> def provider = args[3]
> def logger = args[4]
> def httpRequest = args[5]
>
> logger.info("Evaluating principal attributes ${principal.attributes}")
>
> return true
> }
>
>
> El sábado, 10 de febrero de 2018, Brian Davidson 
> escribió:
>
>> Removed that dependency and still git the same 500 error and same stack
>> trace.
>>
>> On Feb 10, 2018, at 7:20 AM, Man H  wrote:
>>
>> Why you hace this
>>
>>
>>   
>> javax.servlet
>> servlet-api
>> 2.5
>> jar
>> 
>>
>>
>> El sábado, 10 de febrero de 2018, Brian Davidson 
>> escribió:
>>
>>> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>>>
>>> Yes, this is CAS version 5.2.2.
>>>
>>> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with
>>> bypass groovy script that returns false.  We’re just getting the exception
>>> when the groovy script returns true.
>>>
>>> Thanks again for all the help!
>>>
>>>
>>>
>>>
>>> External
>>>
>>> A CAS deployment may be deployed to any number of external servlet
>>> containers. The container MUST support the servlet specification v3.1.x at
>>> a minimum.
>>>
>>> On Feb 10, 2018, at 6:37 AM, Man H  wrote:
>>>
>>> Assuming you are on 5.2.2
>>>
>>> El sábado, 10 de febrero de 2018, Brian Davidson 
>>> escribió:
>>>
 I meant to add, our pom.xml has the following dependencies (in case
 we’re missing something):

 
 
 org.apereo.cas
 cas-server-webapp-${app.server}
 ${cas.version}
 war
 runtime
 
 
 org.apereo.cas
 cas-server-support-ldap
 ${cas.version}
 
 
 org.apereo.cas
 cas-server-support-saml
 ${cas.version}
 
 
 org.apereo.cas
 cas-server-support
 -hazelcast-ticket-registry
 ${cas.version}
 
 
 org.apereo.cas
 cas-server-support-duo
 ${cas.version}
 
 
 org.apereo.cas
 cas-server-support
 -json-service-registry
 ${cas.version}
 
 
 org.javassist
 javassist
 3.17.1-GA
 
 
 javax.servlet
 servlet-api
 2.5
 jar
 
 
 org.apereo.cas
 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

I changed it from info to warn:

2018-02-10 08:54:07,061 WARN 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


> On Feb 10, 2018, at 8:43 AM, Man H  wrote:
> 
> Could you try this
> 
> def boolean run(final Object... args){
> def authentication = args[0]
> def principal = args[1]
> def service = args[2]
> def provider = args[3]
> def logger = args[4]
> def httpRequest = args[5]
> 
> logger.info("Evaluating principal attributes ${principal.attributes}")
> 
> return true
> }
> 
> 
> El sábado, 10 de febrero de 2018, Brian Davidson  > escribió:
> Removed that dependency and still git the same 500 error and same stack trace.
> 
>> On Feb 10, 2018, at 7:20 AM, Man H > > wrote:
>> 
>> Why you hace this
>> 
>> 
>>   
>> javax.servlet
>> servlet-api
>> 2.5
>> jar
>> 
>> 
>> 
>> El sábado, 10 de febrero de 2018, Brian Davidson > > escribió:
>> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>> 
>> Yes, this is CAS version 5.2.2.
>> 
>> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with 
>> bypass groovy script that returns false.  We’re just getting the exception 
>> when the groovy script returns true.
>> 
>> Thanks again for all the help!
>> 
>> 
>> 
>> 
>>> External
>>> A CAS deployment may be deployed to any number of external servlet 
>>> containers. The container MUST support the servlet specification v3.1.x at 
>>> a minimum.
>>> 
>>> On Feb 10, 2018, at 6:37 AM, Man H >> > wrote:
>>> 
>>> Assuming you are on 5.2.2
>>> 
>>> El sábado, 10 de febrero de 2018, Brian Davidson >> > escribió:
>>> I meant to add, our pom.xml has the following dependencies (in case we’re 
>>> missing something):
>>> 
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-webapp-${app.server}
>>> ${cas.version}
>>> war
>>> runtime
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-ldap
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-saml
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> 
>>> cas-server-support-hazelcast-ticket-registry
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-duo
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> 
>>> cas-server-support-json-service-registry
>>> ${cas.version}
>>> 
>>> 
>>> org.javassist
>>> javassist
>>> 3.17.1-GA
>>> 
>>> 
>>> javax.servlet
>>> servlet-api
>>> 2.5
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-webflow
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-web
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-configuration
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-authentication
>>> ${cas.version}
>>> 
>>> 
>>> 
>>> 
 On Feb 9, 2018, at 5:19 PM, Man H > wrote:
 
 
 add 
 
  org.apereo.cas
  cas-server-core-authentication
  ${cas.version}
 
 
 with: 
 
 cas.authn.mfa.duo[0].bypass.type=GROOVY
 cas.authn.mfa.duo[0].bypass.gr 
 oovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
 
 you should get
 
 2018-02-09 19:10:39,145 DEBUG 
 [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
  - >>> [casuser], service [null] and provider 
 [DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL 
 [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
 
 
 
 
 
 2018-02-09 17:11 GMT-03:00 Brian Davidson >:
 Just to add a bit to what Brian M. provided (I’m also a Brian, and a 
 co-worker of Brian M’s):
 
 We have Duo MFA working if we comment out:
 cas.authn.mfa.duo[0].bypass.type=GROOVY
 cas.authn.mfa.duo[0].bypass.gr 
 oovy.location=file:///etc/cas/selectiveDuo.groovy <>
 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Or this


def boolean run(final Object... args){
logger.info("Evaluating principal")
return true
}

El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> Removed that dependency and still git the same 500 error and same stack
> trace.
>
> On Feb 10, 2018, at 7:20 AM, Man H  wrote:
>
> Why you hace this
>
>
>   
> javax.servlet
> servlet-api
> 2.5
> jar
> 
>
>
> El sábado, 10 de febrero de 2018, Brian Davidson 
> escribió:
>
>> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>>
>> Yes, this is CAS version 5.2.2.
>>
>> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with
>> bypass groovy script that returns false.  We’re just getting the exception
>> when the groovy script returns true.
>>
>> Thanks again for all the help!
>>
>>
>>
>>
>> External
>>
>> A CAS deployment may be deployed to any number of external servlet
>> containers. The container MUST support the servlet specification v3.1.x at
>> a minimum.
>>
>> On Feb 10, 2018, at 6:37 AM, Man H  wrote:
>>
>> Assuming you are on 5.2.2
>>
>> El sábado, 10 de febrero de 2018, Brian Davidson 
>> escribió:
>>
>>> I meant to add, our pom.xml has the following dependencies (in case
>>> we’re missing something):
>>>
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-webapp-${app.server}
>>> ${cas.version}
>>> war
>>> runtime
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-ldap
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-saml
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-hazelcast-ticket-registry>> tifactId>
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-duo
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-json-service-registry>> ctId>
>>> ${cas.version}
>>> 
>>> 
>>> org.javassist
>>> javassist
>>> 3.17.1-GA
>>> 
>>> 
>>> javax.servlet
>>> servlet-api
>>> 2.5
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-webflow
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-web
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-configuration
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>>cas-server-core-authentication
>>>${cas.version}
>>> 
>>> 
>>>
>>>
>>> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
>>>
>>>
>>> add
>>> 
>>>  org.apereo.cas
>>>  cas-server-core-authentication
>>>  ${cas.version}
>>> 
>>>
>>> with:
>>>
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/co
>>> nfig/mfaGroovyTrigger.groovy
>>>
>>> you should get
>>>
>>> 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication
>>> .GroovyMultifactorAuthenticationProviderBypass] - >> multifactor authentication bypass properties for principal [casuser],
>>> service [null] and provider [DefaultDuoMultifactorAuthenticationProvider]
>>> via Groovy script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>>>
>>>
>>>
>>>
>>>
>>> 2018-02-09 17:11 GMT-03:00 Brian Davidson :
>>>
 Just to add a bit to what Brian M. provided (I’m also a Brian, and a
 co-worker of Brian M’s):

 We have Duo MFA working if we comment out:
 cas.authn.mfa.duo[0].bypass.type=GROOVY
 cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
 selectiveDuo.groovy

 We did find that CAS was unable to check to see if the user exists in
 Duo if we used the “CAS” integration in Duo.  But it works if we set up the
 integration as “Auth API”.

 We haven’t touched webflow. With the groovy script in place,

 When we enable GROOVY bypass script, we get:

 2018-02-09 15:04:55,638 DEBUG 
 [org.springframework.webflow.engine.impl.FlowExecutionImpl]
 - >>> xecution.FlowExecutionException: Exception thrown in state
 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io
 .NotSerializableException: org.springframework.core.io.UrlResource]>

 As well as the stack trace Brian M. provided.

 cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
 yesterday.  Dug 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Could you try this

def boolean run(final Object... args){
def authentication = args[0]
def principal = args[1]
def service = args[2]
def provider = args[3]
def logger = args[4]
def httpRequest = args[5]

logger.info("Evaluating principal attributes ${principal.attributes}")

return true
}


El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> Removed that dependency and still git the same 500 error and same stack
> trace.
>
> On Feb 10, 2018, at 7:20 AM, Man H  wrote:
>
> Why you hace this
>
>
>   
> javax.servlet
> servlet-api
> 2.5
> jar
> 
>
>
> El sábado, 10 de febrero de 2018, Brian Davidson 
> escribió:
>
>> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>>
>> Yes, this is CAS version 5.2.2.
>>
>> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with
>> bypass groovy script that returns false.  We’re just getting the exception
>> when the groovy script returns true.
>>
>> Thanks again for all the help!
>>
>>
>>
>>
>> External
>>
>> A CAS deployment may be deployed to any number of external servlet
>> containers. The container MUST support the servlet specification v3.1.x at
>> a minimum.
>>
>> On Feb 10, 2018, at 6:37 AM, Man H  wrote:
>>
>> Assuming you are on 5.2.2
>>
>> El sábado, 10 de febrero de 2018, Brian Davidson 
>> escribió:
>>
>>> I meant to add, our pom.xml has the following dependencies (in case
>>> we’re missing something):
>>>
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-webapp-${app.server}
>>> ${cas.version}
>>> war
>>> runtime
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-ldap
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-saml
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-hazelcast-ticket-registry>> tifactId>
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-duo
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-json-service-registry>> ctId>
>>> ${cas.version}
>>> 
>>> 
>>> org.javassist
>>> javassist
>>> 3.17.1-GA
>>> 
>>> 
>>> javax.servlet
>>> servlet-api
>>> 2.5
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-webflow
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-web
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-configuration
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>>cas-server-core-authentication
>>>${cas.version}
>>> 
>>> 
>>>
>>>
>>> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
>>>
>>>
>>> add
>>> 
>>>  org.apereo.cas
>>>  cas-server-core-authentication
>>>  ${cas.version}
>>> 
>>>
>>> with:
>>>
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/co
>>> nfig/mfaGroovyTrigger.groovy
>>>
>>> you should get
>>>
>>> 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication
>>> .GroovyMultifactorAuthenticationProviderBypass] - >> multifactor authentication bypass properties for principal [casuser],
>>> service [null] and provider [DefaultDuoMultifactorAuthenticationProvider]
>>> via Groovy script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>>>
>>>
>>>
>>>
>>>
>>> 2018-02-09 17:11 GMT-03:00 Brian Davidson :
>>>
 Just to add a bit to what Brian M. provided (I’m also a Brian, and a
 co-worker of Brian M’s):

 We have Duo MFA working if we comment out:
 cas.authn.mfa.duo[0].bypass.type=GROOVY
 cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
 selectiveDuo.groovy

 We did find that CAS was unable to check to see if the user exists in
 Duo if we used the “CAS” integration in Duo.  But it works if we set up the
 integration as “Auth API”.

 We haven’t touched webflow. With the groovy script in place,

 When we enable GROOVY bypass script, we get:

 2018-02-09 15:04:55,638 DEBUG 
 [org.springframework.webflow.engine.impl.FlowExecutionImpl]
 - >>> xecution.FlowExecutionException: Exception thrown in state
 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io
 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Could you be more specific

We did find that CAS was unable to check to see if the user exists in Duo
if we used the “CAS” integration in Duo.  But it works if we set up the
integration as “Auth API”.


El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> Removed that dependency and still git the same 500 error and same stack
> trace.
>
> On Feb 10, 2018, at 7:20 AM, Man H  wrote:
>
> Why you hace this
>
>
>   
> javax.servlet
> servlet-api
> 2.5
> jar
> 
>
>
> El sábado, 10 de febrero de 2018, Brian Davidson 
> escribió:
>
>> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>>
>> Yes, this is CAS version 5.2.2.
>>
>> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with
>> bypass groovy script that returns false.  We’re just getting the exception
>> when the groovy script returns true.
>>
>> Thanks again for all the help!
>>
>>
>>
>>
>> External
>>
>> A CAS deployment may be deployed to any number of external servlet
>> containers. The container MUST support the servlet specification v3.1.x at
>> a minimum.
>>
>> On Feb 10, 2018, at 6:37 AM, Man H  wrote:
>>
>> Assuming you are on 5.2.2
>>
>> El sábado, 10 de febrero de 2018, Brian Davidson 
>> escribió:
>>
>>> I meant to add, our pom.xml has the following dependencies (in case
>>> we’re missing something):
>>>
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-webapp-${app.server}
>>> ${cas.version}
>>> war
>>> runtime
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-ldap
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-saml
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-hazelcast-ticket-registry>> tifactId>
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-duo
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-json-service-registry>> ctId>
>>> ${cas.version}
>>> 
>>> 
>>> org.javassist
>>> javassist
>>> 3.17.1-GA
>>> 
>>> 
>>> javax.servlet
>>> servlet-api
>>> 2.5
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-webflow
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-web
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-core-configuration
>>> ${cas.version}
>>> jar
>>> 
>>> 
>>> org.apereo.cas
>>>cas-server-core-authentication
>>>${cas.version}
>>> 
>>> 
>>>
>>>
>>> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
>>>
>>>
>>> add
>>> 
>>>  org.apereo.cas
>>>  cas-server-core-authentication
>>>  ${cas.version}
>>> 
>>>
>>> with:
>>>
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/co
>>> nfig/mfaGroovyTrigger.groovy
>>>
>>> you should get
>>>
>>> 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication
>>> .GroovyMultifactorAuthenticationProviderBypass] - >> multifactor authentication bypass properties for principal [casuser],
>>> service [null] and provider [DefaultDuoMultifactorAuthenticationProvider]
>>> via Groovy script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>>>
>>>
>>>
>>>
>>>
>>> 2018-02-09 17:11 GMT-03:00 Brian Davidson :
>>>
 Just to add a bit to what Brian M. provided (I’m also a Brian, and a
 co-worker of Brian M’s):

 We have Duo MFA working if we comment out:
 cas.authn.mfa.duo[0].bypass.type=GROOVY
 cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
 selectiveDuo.groovy

 We did find that CAS was unable to check to see if the user exists in
 Duo if we used the “CAS” integration in Duo.  But it works if we set up the
 integration as “Auth API”.

 We haven’t touched webflow. With the groovy script in place,

 When we enable GROOVY bypass script, we get:

 2018-02-09 15:04:55,638 DEBUG 
 [org.springframework.webflow.engine.impl.FlowExecutionImpl]
 - >>> xecution.FlowExecutionException: Exception thrown in state
 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io
 .NotSerializableException: org.springframework.core.io.UrlResource]>

 As well as the stack trace Brian M. provided.

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Removed that dependency and still git the same 500 error and same stack trace.

> On Feb 10, 2018, at 7:20 AM, Man H  wrote:
> 
> Why you hace this
> 
> 
>   
> javax.servlet
> servlet-api
> 2.5
> jar
> 
> 
> 
> El sábado, 10 de febrero de 2018, Brian Davidson  > escribió:
> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
> 
> Yes, this is CAS version 5.2.2.
> 
> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with 
> bypass groovy script that returns false.  We’re just getting the exception 
> when the groovy script returns true.
> 
> Thanks again for all the help!
> 
> 
> 
> 
>> External
>> A CAS deployment may be deployed to any number of external servlet 
>> containers. The container MUST support the servlet specification v3.1.x at a 
>> minimum.
>> 
>> On Feb 10, 2018, at 6:37 AM, Man H > > wrote:
>> 
>> Assuming you are on 5.2.2
>> 
>> El sábado, 10 de febrero de 2018, Brian Davidson > > escribió:
>> I meant to add, our pom.xml has the following dependencies (in case we’re 
>> missing something):
>> 
>> 
>> 
>> org.apereo.cas
>> cas-server-webapp-${app.server}
>> ${cas.version}
>> war
>> runtime
>> 
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-saml
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> 
>> cas-server-support-hazelcast-ticket-registry
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-duo
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-json-service-registry
>> ${cas.version}
>> 
>> 
>> org.javassist
>> javassist
>> 3.17.1-GA
>> 
>> 
>> javax.servlet
>> servlet-api
>> 2.5
>> jar
>> 
>> 
>> org.apereo.cas
>> cas-server-core-webflow
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-core-web
>> ${cas.version}
>> jar
>> 
>> 
>> org.apereo.cas
>> cas-server-core-configuration
>> ${cas.version}
>> jar
>> 
>>  
>> org.apereo.cas
>>  cas-server-core-authentication
>>  ${cas.version}
>>  
>> 
>> 
>> 
>>> On Feb 9, 2018, at 5:19 PM, Man H >> > wrote:
>>> 
>>> 
>>> add 
>>> 
>>>  org.apereo.cas
>>>  cas-server-core-authentication
>>>  ${cas.version}
>>> 
>>> 
>>> with: 
>>> 
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.gr 
>>> oovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
>>> 
>>> you should get
>>> 
>>> 2018-02-09 19:10:39,145 DEBUG 
>>> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
>>>  - >> [casuser], service [null] and provider 
>>> [DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL 
>>> [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 2018-02-09 17:11 GMT-03:00 Brian Davidson >> >:
>>> Just to add a bit to what Brian M. provided (I’m also a Brian, and a 
>>> co-worker of Brian M’s):
>>> 
>>> We have Duo MFA working if we comment out:
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.gr 
>>> oovy.location=file:///etc/cas/selectiveDuo.groovy <>
>>> 
>>> We did find that CAS was unable to check to see if the user exists in Duo 
>>> if we used the “CAS” integration in Duo.  But it works if we set up the 
>>> integration as “Auth API”.
>>> 
>>> We haven’t touched webflow. With the groovy script in place, 
>>> 
>>> When we enable GROOVY bypass script, we get:
>>> 
>>> 2018-02-09 15:04:55,638 DEBUG 
>>> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - >> to handle [org.springframework.webflow.execution.FlowExecutionException: 
>>> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root 
>>> cause [java.io .NotSerializableException: 
>>> org.springframework.core.io 
>>> .UrlResource]>
>>> 
>>> As well as the stack trace Brian M. provided.
>>> 
>>> cas.authn.mfa.duo[0].bypass.gr oovy.location was the 
>>> missing piece 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Why you hace this


  
javax.servlet
servlet-api
2.5
jar



El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.
>
> Yes, this is CAS version 5.2.2.
>
> CAS w/ Duo works with no bypass groovy script in place.  CAS  works with
> bypass groovy script that returns false.  We’re just getting the exception
> when the groovy script returns true.
>
> Thanks again for all the help!
>
>
>
>
> External
>
> A CAS deployment may be deployed to any number of external servlet
> containers. The container MUST support the servlet specification v3.1.x at
> a minimum.
>
> On Feb 10, 2018, at 6:37 AM, Man H  wrote:
>
> Assuming you are on 5.2.2
>
> El sábado, 10 de febrero de 2018, Brian Davidson 
> escribió:
>
>> I meant to add, our pom.xml has the following dependencies (in case we’re
>> missing something):
>>
>> 
>> 
>> org.apereo.cas
>> cas-server-webapp-${app.server}
>> ${cas.version}
>> war
>> runtime
>> 
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-saml
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-hazelcast-ticket-registry> artifactId>
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-duo
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-json-service-registry> artifactId>
>> ${cas.version}
>> 
>> 
>> org.javassist
>> javassist
>> 3.17.1-GA
>> 
>> 
>> javax.servlet
>> servlet-api
>> 2.5
>> jar
>> 
>> 
>> org.apereo.cas
>> cas-server-core-webflow
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-core-web
>> ${cas.version}
>> jar
>> 
>> 
>> org.apereo.cas
>> cas-server-core-configuration
>> ${cas.version}
>> jar
>> 
>> 
>> org.apereo.cas
>>cas-server-core-authentication
>>${cas.version}
>> 
>> 
>>
>>
>> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
>>
>>
>> add
>> 
>>  org.apereo.cas
>>  cas-server-core-authentication
>>  ${cas.version}
>> 
>>
>> with:
>>
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/co
>> nfig/mfaGroovyTrigger.groovy
>>
>> you should get
>>
>> 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication
>> .GroovyMultifactorAuthenticationProviderBypass] - > multifactor authentication bypass properties for principal [casuser],
>> service [null] and provider [DefaultDuoMultifactorAuthenticationProvider]
>> via Groovy script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>>
>>
>>
>>
>>
>> 2018-02-09 17:11 GMT-03:00 Brian Davidson :
>>
>>> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
>>> co-worker of Brian M’s):
>>>
>>> We have Duo MFA working if we comment out:
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
>>> selectiveDuo.groovy
>>>
>>> We did find that CAS was unable to check to see if the user exists in
>>> Duo if we used the “CAS” integration in Duo.  But it works if we set up the
>>> integration as “Auth API”.
>>>
>>> We haven’t touched webflow. With the groovy script in place,
>>>
>>> When we enable GROOVY bypass script, we get:
>>>
>>> 2018-02-09 15:04:55,638 DEBUG 
>>> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
>>> - >> xecution.FlowExecutionException: Exception thrown in state
>>> 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io
>>> .NotSerializableException: org.springframework.core.io.UrlResource]>
>>>
>>> As well as the stack trace Brian M. provided.
>>>
>>> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
>>> yesterday.  Dug through source code to find that.  We’re happy to provide
>>> updates to the documentation once we get this working.
>>>
>>> Thanks for the help!
>>>
>>> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
>>>
>>> Anything that says "REMOVED" is just stuff I pulled out before posting
>>> it. I didn't want to post any private/sensitive information.
>>>
>>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:

 What do you mean by REMOVED in properties .

 El 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

Assuming you are on 5.2.2

El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> I meant to add, our pom.xml has the following dependencies (in case we’re
> missing something):
>
> 
> 
> org.apereo.cas
> cas-server-webapp-${app.server}
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-saml
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-hazelcast-ticket-
> registry
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-duo
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-json-service-registry<
> /artifactId>
> ${cas.version}
> 
> 
> org.javassist
> javassist
> 3.17.1-GA
> 
> 
> javax.servlet
> servlet-api
> 2.5
> jar
> 
> 
> org.apereo.cas
> cas-server-core-webflow
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-core-web
> ${cas.version}
> jar
> 
> 
> org.apereo.cas
> cas-server-core-configuration
> ${cas.version}
> jar
> 
> 
> org.apereo.cas
>cas-server-core-authentication
>${cas.version}
> 
> 
>
>
> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
>
>
> add
> 
>  org.apereo.cas
>  cas-server-core-authentication
>  ${cas.version}
> 
>
> with:
>
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/
> config/mfaGroovyTrigger.groovy
>
> you should get
>
> 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication.
> GroovyMultifactorAuthenticationProviderBypass] -  authentication bypass properties for principal [casuser], service [null]
> and provider [DefaultDuoMultifactorAuthenticationProvider] via Groovy
> script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>
>
>
>
>
> 2018-02-09 17:11 GMT-03:00 Brian Davidson :
>
>> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
>> co-worker of Brian M’s):
>>
>> We have Duo MFA working if we comment out:
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
>> selectiveDuo.groovy
>>
>> We did find that CAS was unable to check to see if the user exists in Duo
>> if we used the “CAS” integration in Duo.  But it works if we set up the
>> integration as “Auth API”.
>>
>> We haven’t touched webflow. With the groovy script in place,
>>
>> When we enable GROOVY bypass script, we get:
>>
>> 2018-02-09 15:04:55,638 DEBUG 
>> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
>> - > xecution.FlowExecutionException: Exception thrown in state
>> 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io
>> .NotSerializableException: org.springframework.core.io.UrlResource]>
>>
>> As well as the stack trace Brian M. provided.
>>
>> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
>> yesterday.  Dug through source code to find that.  We’re happy to provide
>> updates to the documentation once we get this working.
>>
>> Thanks for the help!
>>
>> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
>>
>> Anything that says "REMOVED" is just stuff I pulled out before posting
>> it. I didn't want to post any private/sensitive information.
>>
>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>>>
>>> What do you mean by REMOVED in properties .
>>>
>>> El viernes, 9 de febrero de 2018, brian mancuso 
>>> escribió:
>>>
 Hey all,

 I was originally trying to setup some custom triggers to determine who
 should use MFA and who is allowed to bypass. I have since been directed
 towards Groovy to simplify things, but I'm still having some trouble.

 At this point, the Groovy script's purpose is strictly to test if a
 certain user will bypass MFA while others will not. Here's my setup:

 */etc/cas/config/cas.properties*

 ##
 # Duo security 2fa authentication provider
 # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
 #
 cas.authn.mfa.duo[0].rank=0
 cas.authn.mfa.duo[0].duoApiHost=REMOVED
 cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
 cas.authn.mfa.duo[0].duoSecretKey=REMOVED
 cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
 cas.authn.mfa.duo[0].id=mfa-duo
 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

External

A CAS deployment may be deployed to any number of external servlet
containers. The container MUST support the servlet specification v3.1.x at
a minimum.


https://apereo.github.io/cas/5.2.x/installation/Configuring-Servlet-Container.html

El sábado, 10 de febrero de 2018, Brian Davidson 
escribió:

> I meant to add, our pom.xml has the following dependencies (in case we’re
> missing something):
>
> 
> 
> org.apereo.cas
> cas-server-webapp-${app.server}
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-saml
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-hazelcast-ticket-
> registry
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-duo
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-json-service-registry<
> /artifactId>
> ${cas.version}
> 
> 
> org.javassist
> javassist
> 3.17.1-GA
> 
> 
> javax.servlet
> servlet-api
> 2.5
> jar
> 
> 
> org.apereo.cas
> cas-server-core-webflow
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-core-web
> ${cas.version}
> jar
> 
> 
> org.apereo.cas
> cas-server-core-configuration
> ${cas.version}
> jar
> 
> 
> org.apereo.cas
>cas-server-core-authentication
>${cas.version}
> 
> 
>
>
> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
>
>
> add
> 
>  org.apereo.cas
>  cas-server-core-authentication
>  ${cas.version}
> 
>
> with:
>
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/
> config/mfaGroovyTrigger.groovy
>
> you should get
>
> 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication.
> GroovyMultifactorAuthenticationProviderBypass] -  authentication bypass properties for principal [casuser], service [null]
> and provider [DefaultDuoMultifactorAuthenticationProvider] via Groovy
> script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>
>
>
>
>
> 2018-02-09 17:11 GMT-03:00 Brian Davidson :
>
>> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
>> co-worker of Brian M’s):
>>
>> We have Duo MFA working if we comment out:
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
>> selectiveDuo.groovy
>>
>> We did find that CAS was unable to check to see if the user exists in Duo
>> if we used the “CAS” integration in Duo.  But it works if we set up the
>> integration as “Auth API”.
>>
>> We haven’t touched webflow. With the groovy script in place,
>>
>> When we enable GROOVY bypass script, we get:
>>
>> 2018-02-09 15:04:55,638 DEBUG 
>> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
>> - > xecution.FlowExecutionException: Exception thrown in state
>> 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io
>> .NotSerializableException: org.springframework.core.io.UrlResource]>
>>
>> As well as the stack trace Brian M. provided.
>>
>> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
>> yesterday.  Dug through source code to find that.  We’re happy to provide
>> updates to the documentation once we get this working.
>>
>> Thanks for the help!
>>
>> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
>>
>> Anything that says "REMOVED" is just stuff I pulled out before posting
>> it. I didn't want to post any private/sensitive information.
>>
>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>>>
>>> What do you mean by REMOVED in properties .
>>>
>>> El viernes, 9 de febrero de 2018, brian mancuso 
>>> escribió:
>>>
 Hey all,

 I was originally trying to setup some custom triggers to determine who
 should use MFA and who is allowed to bypass. I have since been directed
 towards Groovy to simplify things, but I'm still having some trouble.

 At this point, the Groovy script's purpose is strictly to test if a
 certain user will bypass MFA while others will not. Here's my setup:

 */etc/cas/config/cas.properties*

 ##
 # Duo security 2fa authentication provider
 # 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

I meant to add, our pom.xml has the following dependencies (in case we’re 
missing something):



org.apereo.cas
cas-server-webapp-${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-ldap
${cas.version}


org.apereo.cas
cas-server-support-saml
${cas.version}


org.apereo.cas

cas-server-support-hazelcast-ticket-registry
${cas.version}


org.apereo.cas
cas-server-support-duo
${cas.version}


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


org.javassist
javassist
3.17.1-GA


javax.servlet
servlet-api
2.5
jar


org.apereo.cas
cas-server-core-webflow
${cas.version}


org.apereo.cas
cas-server-core-web
${cas.version}
jar


org.apereo.cas
cas-server-core-configuration
${cas.version}
jar


org.apereo.cas
cas-server-core-authentication
${cas.version}




> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
> 
> 
> add 
> 
>  org.apereo.cas
>  cas-server-core-authentication
>  ${cas.version}
> 
> 
> with: 
> 
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
> 
> you should get
> 
> 2018-02-09 19:10:39,145 DEBUG 
> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] 
> -  [casuser], service [null] and provider 
> [DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL 
> [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
> 
> 
> 
> 
> 
> 2018-02-09 17:11 GMT-03:00 Brian Davidson  >:
> Just to add a bit to what Brian M. provided (I’m also a Brian, and a 
> co-worker of Brian M’s):
> 
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
>  <>
> 
> We did find that CAS was unable to check to see if the user exists in Duo if 
> we used the “CAS” integration in Duo.  But it works if we set up the 
> integration as “Auth API”.
> 
> We haven’t touched webflow. With the groovy script in place, 
> 
> When we enable GROOVY bypass script, we get:
> 
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] -  handle [org.springframework.webflow.execution.FlowExecutionException: 
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root 
> cause [java.io .NotSerializableException: 
> org.springframework.core.io 
> .UrlResource]>
> 
> As well as the stack trace Brian M. provided.
> 
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece yesterday.  
> Dug through source code to find that.  We’re happy to provide updates to the 
> documentation once we get this working.
> 
> Thanks for the help!
> 
>> On Feb 9, 2018, at 10:14 AM, brian mancuso > > wrote:
>> 
>> Anything that says "REMOVED" is just stuff I pulled out before posting it. I 
>> didn't want to post any private/sensitive information.
>> 
>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>> What do you mean by REMOVED in properties . 
>> 
>> El viernes, 9 de febrero de 2018, brian mancuso > 
>> escribió:
>> Hey all,
>> 
>> I was originally trying to setup some custom triggers to determine who 
>> should use MFA and who is allowed to bypass. I have since been directed 
>> towards Groovy to simplify things, but I'm still having some trouble.
>> 
>> At this point, the Groovy script's purpose is strictly to test if a certain 
>> user will bypass MFA while others will not. Here's my setup:
>> 
>> /etc/cas/config/cas.properties
>> 
>> ##
>> # Duo security 2fa authentication provider
>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey 
>> 
>> #
>> cas.authn.mfa.duo[0].rank=0
>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>> cas.authn.mfa.duo[0].id=mfa-duo
>> cas.authn.mfa.globalProviderId=mfa-duo
>> cas.authn.mfa.globalFailureMode=OPEN
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Added cas-server-core-authentication dependency.  Still getting the same 
exception.

I do get:

2018-02-09 23:31:04,841 DEBUG 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


We’ve had that working since adding the bypass.type=GROOVY and 
bypass.groovy.location I mentioned in the previous email.

We then get:

2018-02-09 23:31:06,088 DEBUG 
[org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - 
<[DefaultDuoMultifactorAuthenticationProvider] voted to support this 
authentication request>
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.SubflowState] 
- 
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.SubflowState] 
- 
2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.Flow] - 

2018-02-09 23:31:06,100 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,100 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,100 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,101 DEBUG 
[org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.ActionState] 
- 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.ActionState] 
- 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,216 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,216 DEBUG [org.springframework.webflow.engine.ActionState] 
- 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,217 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,217 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,217 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,218 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,218 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,218 DEBUG [org.springframework.webflow.engine.ViewState] - 

2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,223 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,223 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,224 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,238 DEBUG 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

add

 org.apereo.cas
 cas-server-core-authentication
 ${cas.version}


with:

cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy

you should get

2018-02-09 19:10:39,145 DEBUG
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
- 





2018-02-09 17:11 GMT-03:00 Brian Davidson :

> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
> co-worker of Brian M’s):
>
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/
> cas/selectiveDuo.groovy
>
> We did find that CAS was unable to check to see if the user exists in Duo
> if we used the “CAS” integration in Duo.  But it works if we set up the
> integration as “Auth API”.
>
> We haven’t touched webflow. With the groovy script in place,
>
> When we enable GROOVY bypass script, we get:
>
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
> -  [org.springframework.webflow.execution.FlowExecutionException:
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root
> cause [java.io.NotSerializableException: org.springframework.core.io.
> UrlResource]>
>
> As well as the stack trace Brian M. provided.
>
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
> yesterday.  Dug through source code to find that.  We’re happy to provide
> updates to the documentation once we get this working.
>
> Thanks for the help!
>
> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
>
> Anything that says "REMOVED" is just stuff I pulled out before posting it.
> I didn't want to post any private/sensitive information.
>
> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>>
>> What do you mean by REMOVED in properties .
>>
>> El viernes, 9 de febrero de 2018, brian mancuso 
>> escribió:
>>
>>> Hey all,
>>>
>>> I was originally trying to setup some custom triggers to determine who
>>> should use MFA and who is allowed to bypass. I have since been directed
>>> towards Groovy to simplify things, but I'm still having some trouble.
>>>
>>> At this point, the Groovy script's purpose is strictly to test if a
>>> certain user will bypass MFA while others will not. Here's my setup:
>>>
>>> */etc/cas/config/cas.properties*
>>>
>>> ##
>>> # Duo security 2fa authentication provider
>>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
>>> #
>>> cas.authn.mfa.duo[0].rank=0
>>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>>> cas.authn.mfa.duo[0].id=mfa-duo
>>> cas.authn.mfa.globalProviderId=mfa-duo
>>> cas.authn.mfa.globalFailureMode=OPEN
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
>>> selectiveDuo.groovy
>>>
>>>
>>> */etc/cas/selectiveDuo.groovy*
>>>
>>> def boolean run(final Object... args) {
>>> def authentication = args[0]
>>> def principal = args[1]
>>> def service = args[2]
>>> def provider = args[3]
>>> def logger = args[4]
>>> def httpRequest = args[5]
>>>
>>> logger.info("Evaluating principal attributes
>>> ${principal.attributes}")
>>>
>>> def bypass = principal.attributes['uid']
>>> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
>>> logger.info("Skipping bypass for principal ${principal.id}")
>>> return false
>>> }
>>>
>>> return true
>>> }
>>>
>>>
>>> When I try to login though, whenever a user would be sent to DUO, I get
>>> a 500 error:
>>>
>>>
>>> 
>>>
>>> Here's a small snippet from the output:
>>>
>>> 2018-02-09 09:04:05,717 DEBUG 
>>> [org.apereo.cas.web.FlowExecutionExceptionResolver]
>>> - 
>>> org.springframework.webflow.execution.FlowExecutionException: Exception
>>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>>> at 
>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re
>>> sume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.executor.FlowExecutorImpl.resume
>>> Execution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[?:1.8.0_151]
>>>
>>> Caused by: 
>>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
>>> Error encoding flow execution

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Just to add a bit to what Brian M. provided (I’m also a Brian, and a co-worker 
of Brian M’s):

We have Duo MFA working if we comment out:
cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy 


We did find that CAS was unable to check to see if the user exists in Duo if we 
used the “CAS” integration in Duo.  But it works if we set up the integration 
as “Auth API”.

We haven’t touched webflow. With the groovy script in place, 

When we enable GROOVY bypass script, we get:

2018-02-09 15:04:55,638 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - 

As well as the stack trace Brian M. provided.

cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece yesterday.  
Dug through source code to find that.  We’re happy to provide updates to the 
documentation once we get this working.

Thanks for the help!

> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
> 
> Anything that says "REMOVED" is just stuff I pulled out before posting it. I 
> didn't want to post any private/sensitive information.
> 
> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
> What do you mean by REMOVED in properties . 
> 
> El viernes, 9 de febrero de 2018, brian mancuso > 
> escribió:
> Hey all,
> 
> I was originally trying to setup some custom triggers to determine who should 
> use MFA and who is allowed to bypass. I have since been directed towards 
> Groovy to simplify things, but I'm still having some trouble.
> 
> At this point, the Groovy script's purpose is strictly to test if a certain 
> user will bypass MFA while others will not. Here's my setup:
> 
> /etc/cas/config/cas.properties
> 
> ##
> # Duo security 2fa authentication provider
> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey 
> 
> #
> cas.authn.mfa.duo[0].rank=0
> cas.authn.mfa.duo[0].duoApiHost=REMOVED
> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
> cas.authn.mfa.duo[0].id=mfa-duo
> cas.authn.mfa.globalProviderId=mfa-duo
> cas.authn.mfa.globalFailureMode=OPEN
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
> 
> 
> /etc/cas/selectiveDuo.groovy
> 
> def boolean run(final Object... args) {
> def authentication = args[0]
> def principal = args[1]
> def service = args[2]
> def provider = args[3]
> def logger = args[4]
> def httpRequest = args[5]
> 
> logger.info("Evaluating principal attributes ${principal.attributes}")
> 
> def bypass = principal.attributes['uid']
> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
> logger.info("Skipping bypass for principal ${principal.id 
> }")
> return false
> }
> 
> return true
> }
> 
> 
> When I try to login though, whenever a user would be sent to DUO, I get a 500 
> error:
> 
>  
> 
> 
> Here's a small snippet from the output:
> 
> 2018-02-09 09:04:05,717 DEBUG 
> [org.apereo.cas.web.FlowExecutionExceptionResolver] -  exception due to a type mismatch>
> org.springframework.webflow.execution.FlowExecutionException: Exception 
> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_151]
> 
> Caused by: 
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: 
> Error encoding flow execution
>   at 
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
>  ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at 
> org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> 
> Caused by: java.io .NotSerializableException: 
> org.springframework.core.io .UrlResource
>   at 
> 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

What do you mean by REMOVED in properties .

El viernes, 9 de febrero de 2018, brian mancuso 
escribió:

> Hey all,
>
> I was originally trying to setup some custom triggers to determine who
> should use MFA and who is allowed to bypass. I have since been directed
> towards Groovy to simplify things, but I'm still having some trouble.
>
> At this point, the Groovy script's purpose is strictly to test if a
> certain user will bypass MFA while others will not. Here's my setup:
>
> */etc/cas/config/cas.properties*
>
> ##
> # Duo security 2fa authentication provider
> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
> #
> cas.authn.mfa.duo[0].rank=0
> cas.authn.mfa.duo[0].duoApiHost=REMOVED
> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
> cas.authn.mfa.duo[0].id=mfa-duo
> cas.authn.mfa.globalProviderId=mfa-duo
> cas.authn.mfa.globalFailureMode=OPEN
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
> selectiveDuo.groovy
>
>
> */etc/cas/selectiveDuo.groovy*
>
> def boolean run(final Object... args) {
> def authentication = args[0]
> def principal = args[1]
> def service = args[2]
> def provider = args[3]
> def logger = args[4]
> def httpRequest = args[5]
>
> logger.info("Evaluating principal attributes ${principal.attributes}")
>
> def bypass = principal.attributes['uid']
> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
> logger.info("Skipping bypass for principal ${principal.id}")
> return false
> }
>
> return true
> }
>
>
> When I try to login though, whenever a user would be sent to DUO, I get a
> 500 error:
>
>
> 
>
> Here's a small snippet from the output:
>
> 2018-02-09 09:04:05,717 DEBUG [org.apereo.cas.web.
> FlowExecutionExceptionResolver] -  a type mismatch>
> org.springframework.webflow.execution.FlowExecutionException: Exception
> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_151]
>
> Caused by: 
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
> Error encoding flow execution
> at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(
> ClientFlowExecutionRepository.java:114) ~[spring-webflow-client-repo-
> 1.0.3.jar:1.0.3]
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> assignKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at org.springframework.webflow.engine.impl.RequestControlContextImpl.
> assignFlowExecutionKey(RequestControlContextImpl.java:193)
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>
> Caused by: java.io.NotSerializableException: org.springframework.core.io.
> UrlResource
> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
> ~[?:1.8.0_151]
> at 
> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
> ~[?:1.8.0_151]
>
> 2018-02-09 09:04:05,717 ERROR 
> [org.springframework.boot.web.support.ErrorPageFilter]
> -  [Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo']>
> org.springframework.webflow.execution.FlowExecutionException: Exception
> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at