I’m not sure that’s possible.
One other option would be for you to implement Inspektr’s audit log at that
audit point and contribute back to CAS project :-)
D.
On Fri, Feb 9, 2018 at 11:38 AM -0500, "crdaudt" <crda...@taylor.edu> wrote:
Thanks for the quick response Dmitriy.
As a workaround, might it be possible for me to replace the following:
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/";,
...with something like the following:
"unauthorizedRedirectUrl" :
"https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com&username=%sAMAccountName%";,
...where %sAMAccountName% could be a variable replaced with the username of the
user who is denied access?
If there is a way for me to grab and use the value of the username, the tomcat
access log would capture the denied attempt for me.
Carl
On Friday, February 9, 2018 at 10:06:44 AM UTC-5, Dmitriy Kopylenko wrote:The
short answer is - there is currently no audit trail advice weaved at the audit
point you are after.
Best,D.
From: crdaudt <crd...@taylor.edu>
Reply: cas-...@apereo.org <cas...@apereo.org>
Date: February 9, 2018 at 10:00:18 AM
To: CAS Community <cas...@apereo.org>
Subject: Re: [cas-user] how do I capture audit log trail for unauthorized
users who are denied access to a service in an accessStrategy configuration of
one of my JSON files?
Yes, the configuration is there in log4j2 but the
audit log is only providing entries for users who are authorized,
not for those who are denied access.
I am attaching an annotated copy of my cas_audit.log, and also
copies of my service's JSON file and log4j2.xml file.
My goals:
To log attempts of a user to gain a service ticket, both
when:
the user is authorized (and therefore successful) and,
unauthorized (and therefore denied access).
To keep the log verbosity reasonably trim (I do not want to set
debug for the entire log)
On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote:
Carl,
This already should be in log4j2:
<!-- Log
audit to all root appenders, and also to audit log (additivity is
not false) -->
<AsyncLogger
name="org.apereo.inspektr.audit.support" level="info"
includeLocation="true" >
<AppenderRef
ref="casAudit"/>
<AppenderRef
ref="syslog"/>
</AsyncLogger>
Ray
On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:
For one of my services, I have the following
accessStrategy defined in my JSON file:
---begin---
"accessStrategy" :
{
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/";,
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" :
{
"@class" :
"java.util.HashMap",
"memberOf" : [ "java.util.HashSet",
[
"CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
] ]
}
}
---end---
This works nicely to redirect unauthorized users who do not belong
to either of the memberOf AD groups. However, the default log
settings in log4j2.xml do not provide any indication that an
unauthorized user attempted to obtain a service ticket.
How can I set up my CAS (v5.2.2) instance to log failed attempts by
unauthorized users to obtain a service ticket?
Carl
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afed875-afb7-40d4-b9b1-3c89de2f8a5f%40apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20C889EBD5E2E103.EC7068B2-3161-4218-8CFF-5131B0358F8A%40mail.outlook.com.
