Add 'unauthorizedRedirectUrl' usable for pac4j module

[cifren]

P4j had a crash when trying to use the service option 'unauthorizedRedirectUrl'.

I had to :

• manage execption into DelegatedClientAuthenticationAction.java in order to be able to catch an exception event in the webflow
• add a new webflow transition catching this event
• add a new action handling the new exception and redirect to 'unauthorizedRedirectUrl'
• add a 'initialFlowSetupP4jAction', the goal is to setup variables when entering the 'P4jFailure' action. The default initLoginForm action is not working because of the exit of the webflow when communicating with tiers application.

How to test it :

• add a new 'cas.authn.pac4j.oidc[0]' client
• setup a new access strategy for your service :

 "accessStrategy": {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
      "unauthorizedRedirectUrl" : "https://google.com",
      "requiredAttributes" : {
        "@class" : "java.util.HashMap",
        // fake parameter forcing CAS to redirect
        "uids" : [ "java.util.HashSet", [ ".*" ] ]
      }
   }

What should happen :

• On OIDC validation, CAS should redirect to google if it doesn't find the 'uids' when logging

What is happening :

• CAS crash and display an issue that it doesn't find webflow action to apply on clientLogin webflow action
• However works fine on form default login

Where to find the example code used in this modifications :

• org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer
• org.apereo.cas.web.flow.GenerateServiceTicketAction

[mmoayyed]

Thanks very much for the change. A number of comments:

1. There is no such thing called P4j. It's Pac4j. Please be consistent.
2. The initial action that is added seems like it's entirely duplicated code from elsewhere, right?
3. Please ensure the same patch is posted to the master branch as well.

[cifren]

1. Sorry for the typo on P4j...

2. There is an initial action for the class initialFlowSetupP4jAction.java, it is initialFlowSetupAction.java, I didn't know if it was working, it needed only the context values. I could improve it and extend the initialAction instead of copy a part of it. Let me know what you think about it.

3. I will do this when it is done with this part

[mmoayyed]

This probably should be catching Exception. Right?

[cifren]

I catch only the exception I need in that case and I redirect it to the proper page, if I catch more, I am not sure the page will represent really the exception. As you wish, tell me and I'll make it.

[mmoayyed]

Cool. Thanks for the note. This is fine as is.

[mmoayyed]

The log message here is incorrect. You're not granting service tickets here.

[cifren]

I kind of copy that part, but the message from "RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService" is 'LOGGER.warn("Cannot grant access to service [{}] because it is not authorized for use by [{}].", service.getId(), principalId);', It was pretty close for me which comes from the initial error.

I will remove and add a simpler one.

[mmoayyed]

The action name must be changed too.

[cifren]

Done

[mmoayyed]

The action id must be changed too.

[cifren]

Done

[mmoayyed]

The failure event id must be changed too.

[cifren]

Done

[mmoayyed]

I could improve it and extend the initialAction instead of copy a part of it. Let me know what you think about it.

Sounds like a better idea to me. Override bits that you need, if any, while delegating much of the work to the InitialAction class.

Thanks for your help.

[cifren]

I tried to override, but private method gives a little less flexibility. It means it didn't change that much the class except we know where it comes from. :)

[mmoayyed]

I tried to override, but private method gives a little less flexibility. It means it didn't change that much the class except we know where it comes from. :)

No. It simply means you need to take the method off of private. Otherwise, there'd be no point in extending the class.

[cifren]

Changes have been applied

[mmoayyed]

Looks great. Thank you. Please post the same changeset for the master branch

[cifren]

I made the changes on master #3172

[mmoayyed]

:support:cas-server-support-pac4j-core-clients:javadoc/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/config/Pac4jWebflowConfiguration.java:6: error: package org.apereo.cas.util does not exist
import org.apereo.cas.util.CollectionUtils;
                          ^
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/config/Pac4jWebflowConfiguration.java:12: error: cannot find symbol
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
                                 ^
  symbol:   class CookieRetrievingCookieGenerator
  location: package org.apereo.cas.web.support
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/config/Pac4jWebflowConfiguration.java:68: error: cannot find symbol
    private CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
            ^
  symbol:   class CookieRetrievingCookieGenerator
  location: class Pac4jWebflowConfiguration
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/config/Pac4jWebflowConfiguration.java:72: error: cannot find symbol
    private CookieRetrievingCookieGenerator warnCookieGenerator;
            ^
  symbol:   class CookieRetrievingCookieGenerator
  location: class Pac4jWebflowConfiguration
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/Pac4jInitialFlowSetupAction.java:11: error: cannot find symbol
import org.apereo.cas.web.flow.InitialFlowSetupAction;
                              ^
  symbol:   class InitialFlowSetupAction
  location: package org.apereo.cas.web.flow
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/Pac4jInitialFlowSetupAction.java:13: error: cannot find symbol
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
                                 ^
  symbol:   class CookieRetrievingCookieGenerator
  location: package org.apereo.cas.web.support
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/Pac4jInitialFlowSetupAction.java:30: error: cannot find symbol
public class Pac4jInitialFlowSetupAction extends InitialFlowSetupAction {
                                                 ^
  symbol: class InitialFlowSetupAction
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/Pac4jInitialFlowSetupAction.java:37: error: cannot find symbol
                                  final CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator,
                                        ^
  symbol:   class CookieRetrievingCookieGenerator
  location: class Pac4jInitialFlowSetupAction
/home/travis/build/apereo/cas/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/Pac4jInitialFlowSetupAction.java:38: error: cannot find symbol
                                  final CookieRetrievingCookieGenerator warnCookieGenerator,
                                        ^

:support:cas-server-support-pac4j-webflow:compileJava FAILED
  symbol:   class CookieRetrievingCookieGenerator
  location: class Pac4jInitialFlowSetupAction
9 errors
:autoLintGradle

[leleuj]

@cifren what's the status of this PR (and the one for the master)? I guess you just miss some dependencies to make the build pass. Did you test it?

[cifren]

I didn't take the time to do it and I went traveling... I'll take care of it in the next days

[leleuj]

Excellent! Keep me posted if you need some additional help with testing.

[cifren]

Yes tell me how to test it ? How should I do ?

On my part, I use the gradle overlay, I test all my files by putting them into src. After that I have copied one by one those files into the repository apereo/cas, for me everything was good. I suppose that is not the way I should process... Must I generate a war from that modified apereo/cas and copy it over the overlay ?

[leleuj]

It depends a bit on the changes: for limited changes, I generally copy/paste the CAS classes in my overlay to change them and test things quickly. Then, I copy the changes into the CAS sources. It seems it's what you do.

Or for more global changes, I make the changes in the CAS source code, rebuild and install only the necessary modules, rebuild my overlay (based on the related SNAPSHOT) and test the changes.

[cifren]

If I only copy the files how can I test like @mmoayyed does ?

How would you "rebuild and install only the necessary modules" in CAS project ?

[cifren]

Ok never mind the last question, I cloned CAS project and I ran "./gradlew -q :support:cas-server-support-pac4j-authentication:build" and gave me the jar

Is it working now ?

[leleuj]

By "rebuild and install", I mean "./gradlew clean build install -p module", with "-p" to just build a module and not the whole project which takes too much time.

So here is the process for big changes (like this one):

1. rebuild the CAS source, only the necessary modules
2. rebuild the CAS overlay pointing to the SNAPSHOT source version
3. run the CAS overlay and test.

Is it clear now?

[cifren]

Yes thank you very much for this explaination, the solution I found kind of did the same. I could not make the overlay work with my solution, but it should be ok, the compilation worked.

[mmoayyed]

Also see https://apereo.github.io/2018/04/05/cas-codebase-feature-build/

[leleuj]

Your test should go further than just "the compilation worked", but I guess you test the change in some CAS overlay, don't you?

[cifren]

Sorry, it took me a while to get time to work on it.

I made it perfect (as much as I could)

I ran the checkstyle, javadoc and created a jar that I sent to an overlay and all is working fine !!

Is it good on your part ?

[leleuj]

This looks good to me.

@mmoayyed is this ok for you or do you want me to do an additional test?

@cifren are the changes for the master branch ready as well?

[mmoayyed]

re-open the pull request please, merge with 5.2.x and get the build to pass. repeat the same exact exercise for master. Happy to merge then. (We should try to merge both at the same time to avoid feature imbalance)

[mmoayyed]

@leleuj speaking of which btw, a couple of oauth-related tests are failing in 5.2.x as a result of the last change done to scope redirect urls to codes, etc. Would you mind taking a look, and fixing those?

[leleuj]

@mmoayyed Sure, I'll do that on Friday. I'll certainly cut the pac4j v3 release as well, I know you were expecting it very soon...

[mmoayyed]

Excellent. We have been banging on RC1 for a while with no issues yet and have several projects running on CAS 5.3 RC4 which includes that as well. Thanks for the notice. Look forward to the final release.

I might selfishly ask that you cut an RC2 first so that we can test any upcoming changes and then align the final release of pac4j with CAS 5.3. But, of course, do whatever makes better sense.

[cifren]

How to re-open the pull request ? Should I create a new one ?

I did a git rebase 5.2.x is it good ?

[leleuj]

@mmoayyed I have no issue to cut a RC2. We have had a few changes on SAML, Twitter... I can release the RC2 tomorrow: is this ok for you?

@cifren you should have a "Reopen and comment" button at the bottom of the page...

[mmoayyed]

Yes, that is perfect. Thank you.

[cifren]

I dont have the "Reopen and comment" button, I am not sure why

[mmoayyed]

You may want to start a new pull request. It looks the underlying branch was either force-pushed or recreated somehow.

[cifren]

See #3293