Hi Ray, It is a message that CAS is displaying "Service access denied due to missing privileges."
Here's the logs 2019-05-27 13:02:15,646 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [ https://castete.univ.com/aide/blocked.html]> 2019-05-27 13:02:53,173 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student.stu].> 2019-05-27 13:02:53,174 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Denied,service= https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student.stu ]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Mon May 27 13:02:53 CEST 2019 I feel like the code doenst works, im dont understand what's the "String principal" thanks for your time, > > Debian, > > When you say 'access is denied', is that a message that CAS is displaying > or is that your service (admusers.properties sounds like your service)? > > Check CAS logs to see what is happening (you may need to add logging to > you custom code). > > Ray > > On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote: > > Hello Ray, > > Thanks for your answer, the conf seems to be ok, I can access to the log > in page of the service but when I try to connect with my ID, the access is > denied. > Before using groovy script I was able to access the service... I've > checked my admusers.properties and my account is set to ROLE_ADMIN > > The boolean isServiceAccessAllowed is "return true" > > class GroovyRegisteredAccessStrategy extends > DefaultRegisteredServiceAccessStrategy { > @Override > boolean isServiceAccessAllowed() { > return true > } > > Thanks in advance > > Debian, > > Skip the for loop. If you know the attribute key, check it directly (sorry > about the use of map in my previous example): > > if ('Active' == attributes.get('udlAccountStatus')) > > > Also, from a programming perspective, entrySet returns a > Set<Map.Entry<String, Object>>. > > Ray > > On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote: > > Ray, > > Excuse me for the inconvenience but I still have errors... > > I've tried your syntax > > import org.apereo.cas.services.* > import java.util.* > > class GroovyRegisteredAccessStrategy extends > DefaultRegisteredServiceAccessStrategy { > @Override > boolean isServiceAccessAllowed() { > return true > } > > @Override > boolean isServiceAccessAllowedForSso() { > return true > } > > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attributes) { > for (Map.Entry<String, Object> entry : attributes.entrySet()){ > if ('Active' == map.get('udlAccountStatus')) {return true} > else > {return false} > } > } > > } > > I have this error > 2019-05-23 15:46:04,201 WARN > [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] > > - <No such property: map for class: GroovyRegisteredAccessStrategy> > groovy.lang.MissingPropertyException: No such property: map for class: > GroovyRegisteredAccessStrategy > > I've tried this > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attributes) { > for (Map.Entry<String, Object> entry : attributes.entrySet()){ > if ('Active' == entry.getKey('udlAccountStatus')) {return > true} > else > {return false} > } > } > > } > but I have this error > 2019-05-23 15:38:52,086 WARN > [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] > > - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is > applicable for argument types: (java.lang.String) values: [udlAccountStatus] > Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(), > every(), every(groovy.lang.Closure)> > > When I try to use the Possible solutions with getKey() > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attributes) { > for (Map.Entry<String, Object> entry : attributes.entrySet()){ > if ('Active' == getKey('udlAccountStatus')) {return true} > else > {return false} > } > } > > } > I have this error > > 2019-05-23 15:45:03,124 WARN > [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] > > - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is > applicable for argument types: (java.lang.String) values: [udlAccountStatus] > Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(), > every(), every(groovy.lang.Closure)> > > > any suggestions? > > Thanks in advance... > > Debian, > > I should have looked closer at your method logic. > From the method name I suspect that method checks an attribute to > determine service access. This is what you originally proposed 'attribute = > Active'. > > You will need to know what attributes you have. You can add logging to the > method or increase logging in general: > > <!-- DEBUG Found principal attributes [...] for [username] > Attribute policy [???] allows release of [...] for > [username] > Final collection of attributes allowed are: [...] --> > <AsyncLogger > name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" > > level="debug"/> > > I also have this in my logging config: > > <!-- DEBUG Skipping access strategy policy - when no attributes > rules are defined > These required attributes [...] are examined against > [...] before service can proceed - when attrubutes are defined --> > <AsyncLogger > name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" > level="warn"/> > > Because CAS can perform the access / deny part of your requirements. > Service configuration can set an attribute and a value that a user must > have to allow access. > Since you are trying to modify the redirect URL (you have a third option), > you might have to modify the web flow. > > In general, for your method you will have a check like this > > if ('Active' == map.get('attribute')) {return true} > > Ray > > On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote: > > Ray, > Thanks for your answer! > > I've changed the variable to attributes but it doesnt repair the issue. > I dont understand how to set principal to my attribute : account and how > to configure the map to active/blocked/waiting? > I'm not sure if I cleary understand the function... > > Thank u in advance... > > > Debian, > > In doPrincipal..., you are using a variable called 'map' but the variable > is 'attributes'. > > Ray > > On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote: > > Hello guys, > > I'm still trying to configure a groovy script for access strategy but I > have some errors > > Here's my access-strategy.groovy > > > import org.apereo.cas.services.* > import java.util.* > > class GroovyRegisteredAccessStrategy extends > DefaultRegisteredServiceAccessStrategy { > @Override > boolean isServiceAccessAllowed() { > return true > } > > @Override > boolean isServiceAccessAllowedForSso() { > return true > } > > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attributes) { > for (Map.Entry<String, Object> entry : map.entrySet()){ > if (entry.getKey().equals(principal)){ > return true > } > } > return false > } > } > > @Override > java.net.URI getUnauthorizedRedirectUrl(){ > return "https://blocked-acc.html"; > } > } > > > > org.springframework.webflow. > > execution. > > ActionExecutionException: Exception thrown executing > org.apereo.cas.web.flow.login. > > InitialFlowSetupAction@ > > 2357e4bc in state 'null' of flow 'login' -- action execution attributes were > 'map[[empty]]' > > > Caused by: java.lang.NullPointerException > > at org.apereo.cas.services. > > GroovyRegisteredServiceAccessS > > trategy. > > isServiceAccessAllowed( > > GroovyRegisteredServiceAccessS > > trategy.java:49) > > at org.apereo.cas.web.flow.login. > > InitialFlowSetupAction. > > configureWebflowContextForServ > > ice(InitialFlowSetupAction. > > java:62) > > at org.apereo.cas.web.flow.login. > > InitialFlowSetupAction. > > doExecute( > > InitialFlowSetupAction.java: > > 51) > > at org.springframework.webflow. > > action.AbstractAction.execute( > > AbstractAction.java:188) > > at sun.reflect. > > GeneratedMethodAccessor447. > > invoke(Unknown Source) > > at sun.reflect. > > DelegatingMethodAccessorImpl. > > invoke( > > DelegatingMethodAccessorImpl. > > java:43) > > at java.lang.reflect.Method. > > invoke(Method.java:498) > > at org.springframework.util. > > ReflectionUtils.invokeMethod( > > ReflectionUtils.java:216) > > at org.springframework.cloud. > > context.scope.GenericScope$ > > LockedScopedProxyFactoryBean. > > invoke(GenericScope.java:470) > > at org.springframework.aop. > > framework. > > ReflectiveMethodInvocation. > > proceed( > > ReflectiveMethodInvocation. > > java:179) > > at org.springframework.aop. > > framework.JdkDynamicAopProxy. > > invoke(JdkDynamicAopProxy. > > java:213) > > at com.sun.proxy.$Proxy376. > > execute(Unknown Source) > > at org.springframework.webflow. > > execution.ActionExecutor. > > execute(ActionExecutor.java: > > 51) > > ... 100 more > > > > > I'd like to set some attributes required and redirection url. > > For example if the account attribute = Active, i'll be able to join the > service > > but > > if the account attribute = blocked, i'll be redirect to > https://blocked-acc.html <https://blocked.acc.html> > > or > > if the account attribute = waiting, i'll be redirect to > https://waiting-acc/html <https://waiting.acc/html> > > I'm new to groovy and I dont understand the issue, May I have some help > pls? > > Regards, > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/07d45449-166b-4a4b-b0a2-370ce4386be9%40apereo.org.
