Hi again, I don't think I'm returning the right type... The return type should be java net uri right? If yes I should use Use.parse() to convert string to uri right?
Thanks in advance, Hi Ray, > > It s a message that CAS is displaying "Service access denied due to > missing privileges." > > heres the log : > > 2019-05-27 08:23:02,532 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://castete.univ.com/cas/status/dashboard] > because it is not authorized for use by [student1.stu].> > 2019-05-27 08:23:02,533 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: [result=Service Access Denied,service= > https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, > > attributes={udlAccountStatus=[Active], > supannAliasLogin=[student1.stu]}),requiredAttributes={}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Mon May 27 08:23:02 CEST 2019 > > > I've tried to add getUnauthorizedRedirectUrl > > @Override > java.net.URI getUnauthorizedRedirectUrl() { > return 'https://castete.univ.com/blocked.html' > } > > but CAS return this error > > Caused by: org.codehaus.groovy.runtime.typehandling.GroovyCastException: > Cannot cast object 'https://castete.univ.com/blocked.html' with class > 'java.lang.String' to class 'java.net.URI' > > > thanks you for your time.. > > Debian, >> >> When you say 'access is denied', is that a message that CAS is displaying >> or is that your service (admusers.properties sounds like your service)? >> >> Check CAS logs to see what is happening (you may need to add logging to >> you custom code). >> >> Ray >> >> On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote: >> >> Hello Ray, >> >> Thanks for your answer, the conf seems to be ok, I can access to the log >> in page of the service but when I try to connect with my ID, the access is >> denied. >> Before using groovy script I was able to access the service... I've >> checked my admusers.properties and my account is set to ROLE_ADMIN >> >> The boolean isServiceAccessAllowed is "return true" >> >> class GroovyRegisteredAccessStrategy extends >> DefaultRegisteredServiceAccessStrategy { >> @Override >> boolean isServiceAccessAllowed() { >> return true >> } >> >> Thanks in advance >> >> Debian, >> >> Skip the for loop. If you know the attribute key, check it directly >> (sorry about the use of map in my previous example): >> >> if ('Active' == attributes.get('udlAccountStatus')) >> >> >> Also, from a programming perspective, entrySet returns a >> Set<Map.Entry<String, Object>>. >> >> Ray >> >> On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote: >> >> Ray, >> >> Excuse me for the inconvenience but I still have errors... >> >> I've tried your syntax >> >> import org.apereo.cas.services.* >> import java.util.* >> >> class GroovyRegisteredAccessStrategy extends >> DefaultRegisteredServiceAccessStrategy { >> @Override >> boolean isServiceAccessAllowed() { >> return true >> } >> >> @Override >> boolean isServiceAccessAllowedForSso() { >> return true >> } >> >> @Override >> boolean doPrincipalAttributesAllowServiceAccess(String principal, >> Map<String, Object> attributes) { >> for (Map.Entry<String, Object> entry : attributes.entrySet()){ >> if ('Active' == map.get('udlAccountStatus')) {return true} >> else >> {return false} >> } >> } >> >> } >> >> I have this error >> 2019-05-23 15:46:04,201 WARN >> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] >> >> - <No such property: map for class: GroovyRegisteredAccessStrategy> >> groovy.lang.MissingPropertyException: No such property: map for class: >> GroovyRegisteredAccessStrategy >> >> I've tried this >> @Override >> boolean doPrincipalAttributesAllowServiceAccess(String principal, >> Map<String, Object> attributes) { >> for (Map.Entry<String, Object> entry : attributes.entrySet()){ >> if ('Active' == entry.getKey('udlAccountStatus')) {return >> true} >> else >> {return false} >> } >> } >> >> } >> but I have this error >> 2019-05-23 15:38:52,086 WARN >> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] >> >> - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is >> applicable for argument types: (java.lang.String) values: [udlAccountStatus] >> Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(), >> every(), every(groovy.lang.Closure)> >> >> When I try to use the Possible solutions with getKey() >> @Override >> boolean doPrincipalAttributesAllowServiceAccess(String principal, >> Map<String, Object> attributes) { >> for (Map.Entry<String, Object> entry : attributes.entrySet()){ >> if ('Active' == getKey('udlAccountStatus')) {return true} >> else >> {return false} >> } >> } >> >> } >> I have this error >> >> 2019-05-23 15:45:03,124 WARN >> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] >> >> - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is >> applicable for argument types: (java.lang.String) values: [udlAccountStatus] >> Possible solutions: getAt(java.lang.String), notify(), getOrder(), >> grep(), every(), every(groovy.lang.Closure)> >> >> >> any suggestions? >> >> Thanks in advance... >> >> Debian, >> >> I should have looked closer at your method logic. >> From the method name I suspect that method checks an attribute to >> determine service access. This is what you originally proposed 'attribute = >> Active'. >> >> You will need to know what attributes you have. You can add logging to >> the method or increase logging in general: >> >> <!-- DEBUG Found principal attributes [...] for [username] >> Attribute policy [???] allows release of [...] for >> [username] >> Final collection of attributes allowed are: [...] --> >> <AsyncLogger >> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" >> >> level="debug"/> >> >> I also have this in my logging config: >> >> <!-- DEBUG Skipping access strategy policy - when no attributes >> rules are defined >> These required attributes [...] are examined against >> [...] before service can proceed - when attrubutes are defined --> >> <AsyncLogger >> name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" >> level="warn"/> >> >> Because CAS can perform the access / deny part of your requirements. >> Service configuration can set an attribute and a value that a user must >> have to allow access. >> Since you are trying to modify the redirect URL (you have a third >> option), you might have to modify the web flow. >> >> In general, for your method you will have a check like this >> >> if ('Active' == map.get('attribute')) {return true} >> >> Ray >> >> On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote: >> >> Ray, >> Thanks for your answer! >> >> I've changed the variable to attributes but it doesnt repair the issue. >> I dont understand how to set principal to my attribute : account and how >> to configure the map to active/blocked/waiting? >> I'm not sure if I cleary understand the function... >> >> Thank u in advance... >> >> >> Debian, >> >> In doPrincipal..., you are using a variable called 'map' but the variable >> is 'attributes'. >> >> Ray >> >> On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote: >> >> Hello guys, >> >> I'm still trying to configure a groovy script for access strategy but I >> have some errors >> >> Here's my access-strategy.groovy >> >> >> import org.apereo.cas.services.* >> import java.util.* >> >> class GroovyRegisteredAccessStrategy extends >> DefaultRegisteredServiceAccessStrategy { >> @Override >> boolean isServiceAccessAllowed() { >> return true >> } >> >> @Override >> boolean isServiceAccessAllowedForSso() { >> return true >> } >> >> @Override >> boolean doPrincipalAttributesAllowServiceAccess(String principal, >> Map<String, Object> attributes) { >> for (Map.Entry<String, Object> entry : map.entrySet()){ >> if (entry.getKey().equals(principal)){ >> return true >> } >> } >> return false >> } >> } >> >> @Override >> java.net.URI getUnauthorizedRedirectUrl(){ >> return "https://blocked-acc.html"; >> } >> } >> >> >> >> org.springframework.webflow. >> >> execution. >> >> ActionExecutionException: Exception thrown executing >> org.apereo.cas.web.flow.login. >> >> InitialFlowSetupAction@ >> >> 2357e4bc in state 'null' of flow 'login' -- action execution attributes were >> 'map[[empty]]' >> >> >> Caused by: java.lang.NullPointerException >> >> at org.apereo.cas.services. >> >> GroovyRegisteredServiceAccessS >> >> trategy. >> >> isServiceAccessAllowed( >> >> GroovyRegisteredServiceAccessS >> >> trategy.java:49) >> >> at org.apereo.cas.web.flow.login. >> >> InitialFlowSetupAction. >> >> configureWebflowContextForServ >> >> ice(InitialFlowSetupAction. >> >> java:62) >> >> at org.apereo.cas.web.flow.login. >> >> InitialFlowSetupAction. >> >> doExecute( >> >> InitialFlowSetupAction.java: >> >> 51) >> >> at org.springframework.webflow. >> >> action.AbstractAction.execute( >> >> AbstractAction.java:188) >> >> at sun.reflect. >> >> GeneratedMethodAccessor447. >> >> invoke(Unknown Source) >> >> at sun.reflect. >> >> DelegatingMethodAccessorImpl. >> >> invoke( >> >> DelegatingMethodAccessorImpl. >> >> java:43) >> >> at java.lang.reflect.Method. >> >> invoke(Method.java:498) >> >> at org.springframework.util. >> >> ReflectionUtils.invokeMethod( >> >> ReflectionUtils.java:216) >> >> at org.springframework.cloud. >> >> context.scope.GenericScope$ >> >> LockedScopedProxyFactoryBean. >> >> invoke(GenericScope.java:470) >> >> at org.springframework.aop. >> >> framework. >> >> ReflectiveMethodInvocation. >> >> proceed( >> >> ReflectiveMethodInvocation. >> >> java:179) >> >> at org.springframework.aop. >> >> framework.JdkDynamicAopProxy. >> >> invoke(JdkDynamicAopProxy. >> >> java:213) >> >> at com.sun.proxy.$Proxy376. >> >> execute(Unknown Source) >> >> at org.springframework.webflow. >> >> execution.ActionExecutor. >> >> execute(ActionExecutor.java: >> >> 51) >> >> ... 100 more >> >> >> >> >> I'd like to set some attributes required and redirection url. >> >> For example if the account attribute = Active, i'll be able to join the >> service >> >> but >> >> if the account attribute = blocked, i'll be redirect to >> https://blocked-acc.html <https://blocked.acc.html> >> >> or >> >> if the account attribute = waiting, i'll be redirect to >> https://waiting-acc/html <https://waiting.acc/html> >> >> I'm new to groovy and I dont understand the issue, May I have some help >> pls? >> >> Regards, >> >> -- >> >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8ac818f-cc1e-401e-ad8c-8e7af2437ee2%40apereo.org.
