The short answer is - there is currently no audit trail advice weaved at the 
audit point you are after.

Best,
D.


From: crdaudt <crda...@taylor.edu>
Reply: cas-user@apereo.org <cas-user@apereo.org>
Date: February 9, 2018 at 10:00:18 AM
To: CAS Community <cas-user@apereo.org>
Subject:  Re: [cas-user] how do I capture audit log trail for unauthorized 
users who are denied access to a service in an accessStrategy configuration of 
one of my JSON files?  

Yes, the configuration is there in log4j2 but the audit log is only providing 
entries for users who are authorized, not for those who are denied access.
I am attaching an annotated copy of my cas_audit.log, and also copies of my 
service's JSON file and log4j2.xml file.

My goals:
To log attempts of a user to gain a service ticket, both when:
the user is authorized (and therefore successful) and,
unauthorized (and therefore denied access).
To keep the log verbosity reasonably trim (I do not want to set debug for the 
entire log)

On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote:
Carl,

This already should be in log4j2:

        <!-- Log audit to all root appenders, and also to audit log (additivity 
is not false) -->
        <AsyncLogger name="org.apereo.inspektr.audit.support" level="info" 
includeLocation="true" >
            <AppenderRef ref="casAudit"/>
            <AppenderRef ref="syslog"/>
        </AsyncLogger>

Ray 

On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:
For one of my services, I have the following accessStrategy defined in my JSON 
file:

---begin---
  "accessStrategy" :
  {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/";,
    "requireAllAttributes" : false,
    "ssoEnabled" : true,
    "requiredAttributes" :
    {
      "@class" : "java.util.HashMap",
      "memberOf" : [ "java.util.HashSet", [ 
"CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
 ] ]
    }
  }
---end---

This works nicely to redirect unauthorized users who do not belong to either of 
the memberOf AD groups.  However, the default log settings in log4j2.xml do not 
provide any indication that an unauthorized user attempted to obtain a service 
ticket.

How can I set up my CAS (v5.2.2) instance to log failed attempts by 
unauthorized users to obtain a service ticket?

Carl
--  
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5a7db8fc.33ff2575.946%40unicon.net.

Reply via email to