Re: [cas-user] Re: CAS 5.3.9 Access Strategy Groovy script

Fri, 24 May 2019 08:57:31 -0700 

Debian,

When you say 'access is denied', is that a message that CAS is displaying or is 
that your service (admusers.properties sounds like your service)?

Check CAS logs to see what is happening (you may need to add logging to you 
custom code).

Ray

On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
Hello Ray,

Thanks for your answer, the conf seems to be ok, I can access to the log in 
page of the service but when I try to connect with my ID, the access is denied.
Before using groovy script I was able to access the service... I've checked my 
admusers.properties and my account is set to ROLE_ADMIN

The boolean isServiceAccessAllowed is "return true"

class GroovyRegisteredAccessStrategy extends 
DefaultRegisteredServiceAccessStrategy {
    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

Thanks in advance

Debian,

Skip the for loop. If you know the attribute key, check it directly (sorry 
about the use of map in my previous example):

if ('Active' == attributes.get('udlAccountStatus'))


Also, from a programming perspective, entrySet returns a Set<Map.Entry<String, 
Object>>.

Ray

On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote:
Ray,

Excuse me for the inconvenience but I still have errors...

I've tried your syntax

import org.apereo.cas.services.*
import java.util.*

class GroovyRegisteredAccessStrategy extends 
DefaultRegisteredServiceAccessStrategy {
    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

    @Override
    boolean isServiceAccessAllowedForSso() {
            return true
    }

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, 
Map<String, Object> attributes) {
        for (Map.Entry<String, Object> entry : attributes.entrySet()){
                if ('Active' == map.get('udlAccountStatus')) {return true}
                else
                {return false}
        }
    }

}

I have this error
2019-05-23 15:46:04,201 WARN 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 - <No such property: map for class: GroovyRegisteredAccessStrategy>
groovy.lang.MissingPropertyException: No such property: map for class: 
GroovyRegisteredAccessStrategy

I've tried this
    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, 
Map<String, Object> attributes) {
        for (Map.Entry<String, Object> entry : attributes.entrySet()){
                if ('Active' == entry.getKey('udlAccountStatus')) {return true}
                else
                {return false}
        }
    }

}
but I have this error
2019-05-23 15:38:52,086 WARN 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is 
applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(), 
every(), every(groovy.lang.Closure)>

When I try to use the Possible solutions with getKey()
    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, 
Map<String, Object> attributes) {
        for (Map.Entry<String, Object> entry : attributes.entrySet()){
                if ('Active' == getKey('udlAccountStatus')) {return true}
                else
                {return false}
        }
    }

}
I have this error

2019-05-23 15:45:03,124 WARN 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is 
applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(), 
every(), every(groovy.lang.Closure)>


any suggestions?

Thanks in advance...

Debian,

I should have looked closer at your method logic.
>From the method name I suspect that method checks an attribute to determine 
>service access. This is what you originally proposed 'attribute = Active'.

You will need to know what attributes you have. You can add logging to the 
method or increase logging in general:

        <!-- DEBUG Found principal attributes [...] for [username]
                   Attribute policy [???] allows release of [...] for [username]
                   Final collection of attributes allowed are: [...] -->
        <AsyncLogger 
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" 
level="debug"/>

I also have this in my logging config:

        <!-- DEBUG Skipping access strategy policy - when no attributes rules 
are defined
                   These required attributes [...] are examined against [...] 
before service can proceed - when attrubutes are defined   -->
        <AsyncLogger 
name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" 
level="warn"/>

Because CAS can perform the access / deny part of your requirements. Service 
configuration can set an attribute and a value that a user must have to allow 
access.
Since you are trying to modify the redirect URL (you have a third option), you 
might have to modify the web flow.

In general, for your method you will have a check like this

if ('Active' == map.get('attribute')) {return true}

Ray

On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote:
Ray,
Thanks for your answer!

I've changed the variable to attributes but it doesnt repair the issue.
I dont understand how to set principal to my attribute : account and how to 
configure the map to active/blocked/waiting?
I'm not sure if I cleary understand the function...

Thank u in advance...


Debian,

In doPrincipal..., you are using a variable called 'map' but the variable is 
'attributes'.

Ray

On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:
Hello guys,

I'm still trying to configure a groovy script for access strategy but I have 
some errors

Here's my access-strategy.groovy


import org.apereo.cas.services.*
import java.util.*

class GroovyRegisteredAccessStrategy extends 
DefaultRegisteredServiceAccessStrategy {
    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

    @Override
    boolean isServiceAccessAllowedForSso() {
            return true
    }

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, 
Map<String, Object> attributes) {
    for (Map.Entry<String, Object> entry : map.entrySet()){
                if (entry.getKey().equals(principal)){
                        return true
                }
        }
        return false
    }
    }

    @Override
    java.net.URI getUnauthorizedRedirectUrl(){
    return "https://blocked-acc.html";
    }
}




org.springframework.webflow.

execution.

ActionExecutionException: Exception thrown executing 
org.apereo.cas.web.flow.login.

InitialFlowSetupAction@

2357e4bc in state 'null' of flow 'login' -- action execution attributes were 
'map[[empty]]'


Caused by: java.lang.NullPointerException

        at org.apereo.cas.services.

GroovyRegisteredServiceAccessS

trategy.

isServiceAccessAllowed(

GroovyRegisteredServiceAccessS

trategy.java:49)

        at org.apereo.cas.web.flow.login.

InitialFlowSetupAction.

configureWebflowContextForServ

ice(InitialFlowSetupAction.

java:62)

        at org.apereo.cas.web.flow.login.

InitialFlowSetupAction.

doExecute(

InitialFlowSetupAction.java:

51)

        at org.springframework.webflow.

action.AbstractAction.execute(

AbstractAction.java:188)

        at sun.reflect.

GeneratedMethodAccessor447.

invoke(Unknown Source)

        at sun.reflect.

DelegatingMethodAccessorImpl.

invoke(

DelegatingMethodAccessorImpl.

java:43)

        at java.lang.reflect.Method.

invoke(Method.java:498)

        at org.springframework.util.

ReflectionUtils.invokeMethod(

ReflectionUtils.java:216)

        at org.springframework.cloud.

context.scope.GenericScope$

LockedScopedProxyFactoryBean.

invoke(GenericScope.java:470)

        at org.springframework.aop.

framework.

ReflectiveMethodInvocation.

proceed(

ReflectiveMethodInvocation.

java:179)

        at org.springframework.aop.

framework.JdkDynamicAopProxy.

invoke(JdkDynamicAopProxy.

java:213)

        at com.sun.proxy.$Proxy376.

execute(Unknown Source)

        at org.springframework.webflow.

execution.ActionExecutor.

execute(ActionExecutor.java:

51)

        ... 100 more



I'd like to set some attributes required and redirection url.

For example if the account attribute = Active, i'll be able to join the service

but

if the account attribute = blocked, i'll be redirect to 
https://blocked-acc.html<https://blocked.acc.html>

or

if the account attribute = waiting, i'll be redirect to 
https://waiting-acc/html<https://waiting.acc/html>

I'm new to groovy and I dont understand the issue, May I have some help pls?

Regards,

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f066129074fc33e1a24ce6e3e150ab56b5d8bd0b.camel%40uvic.ca.

Reply via email to