Debian,
return new URI('https...
Ray
On Sun, 2019-05-26 at 23:57 -0700, Debian HNT wrote:
Hi Ray,
It s a message that CAS is displaying "Service access denied due to missing
privileges."
heres the log :
2019-05-27 08:23:02,532 WARN
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant
access to service [https://castete.univ.com/cas/status/dashboard] because it is
not authorized for use by [student1.stu].>
2019-05-27 08:23:02,533 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: [result=Service Access
Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu,
attributes={udlAccountStatus=[Active],
supannAliasLogin=[student1.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 27 08:23:02 CEST 2019
I've tried to add getUnauthorizedRedirectUrl
@Override
java.net.URI getUnauthorizedRedirectUrl() {
return 'https://castete.univ.com/blocked.html'
}
but CAS return this error
Caused by: org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot
cast object 'https://castete.univ.com/blocked.html' with class
'java.lang.String' to class 'java.net.URI'
thanks you for your time..
Debian,
When you say 'access is denied', is that a message that CAS is displaying or is
that your service (admusers.properties sounds like your service)?
Check CAS logs to see what is happening (you may need to add logging to you
custom code).
Ray
On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
Hello Ray,
Thanks for your answer, the conf seems to be ok, I can access to the log in
page of the service but when I try to connect with my ID, the access is denied.
Before using groovy script I was able to access the service... I've checked my
admusers.properties and my account is set to ROLE_ADMIN
The boolean isServiceAccessAllowed is "return true"
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}
Thanks in advance
Debian,
Skip the for loop. If you know the attribute key, check it directly (sorry
about the use of map in my previous example):
if ('Active' == attributes.get('udlAccountStatus'))
Also, from a programming perspective, entrySet returns a Set<Map.Entry<String,
Object>>.
Ray
On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote:
Ray,
Excuse me for the inconvenience but I still have errors...
I've tried your syntax
import org.apereo.cas.services.*
import java.util.*
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}
@Override
boolean isServiceAccessAllowedForSso() {
return true
}
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : attributes.entrySet()){
if ('Active' == map.get('udlAccountStatus')) {return true}
else
{return false}
}
}
}
I have this error
2019-05-23 15:46:04,201 WARN
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No such property: map for class: GroovyRegisteredAccessStrategy>
groovy.lang.MissingPropertyException: No such property: map for class:
GroovyRegisteredAccessStrategy
I've tried this
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : attributes.entrySet()){
if ('Active' == entry.getKey('udlAccountStatus')) {return true}
else
{return false}
}
}
}
but I have this error
2019-05-23 15:38:52,086 WARN
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No signature of method: java.util.LinkedHashMap$Entry.getKey() is
applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(),
every(), every(groovy.lang.Closure)>
When I try to use the Possible solutions with getKey()
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : attributes.entrySet()){
if ('Active' == getKey('udlAccountStatus')) {return true}
else
{return false}
}
}
}
I have this error
2019-05-23 15:45:03,124 WARN
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No signature of method: GroovyRegisteredAccessStrategy.getKey() is
applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(),
every(), every(groovy.lang.Closure)>
any suggestions?
Thanks in advance...
Debian,
I should have looked closer at your method logic.
>From the method name I suspect that method checks an attribute to determine
>service access. This is what you originally proposed 'attribute = Active'.
You will need to know what attributes you have. You can add logging to the
method or increase logging in general:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
I also have this in my logging config:
<!-- DEBUG Skipping access strategy policy - when no attributes rules
are defined
These required attributes [...] are examined against [...]
before service can proceed - when attrubutes are defined -->
<AsyncLogger
name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
level="warn"/>
Because CAS can perform the access / deny part of your requirements. Service
configuration can set an attribute and a value that a user must have to allow
access.
Since you are trying to modify the redirect URL (you have a third option), you
might have to modify the web flow.
In general, for your method you will have a check like this
if ('Active' == map.get('attribute')) {return true}
Ray
On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote:
Ray,
Thanks for your answer!
I've changed the variable to attributes but it doesnt repair the issue.
I dont understand how to set principal to my attribute : account and how to
configure the map to active/blocked/waiting?
I'm not sure if I cleary understand the function...
Thank u in advance...
Debian,
In doPrincipal..., you are using a variable called 'map' but the variable is
'attributes'.
Ray
On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:
Hello guys,
I'm still trying to configure a groovy script for access strategy but I have
some errors
Here's my access-strategy.groovy
import org.apereo.cas.services.*
import java.util.*
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}
@Override
boolean isServiceAccessAllowedForSso() {
return true
}
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : map.entrySet()){
if (entry.getKey().equals(principal)){
return true
}
}
return false
}
}
@Override
java.net.URI getUnauthorizedRedirectUrl(){
return "https://blocked-acc.html";
}
}
org.springframework.webflow.
execution.
ActionExecutionException: Exception thrown executing
org.apereo.cas.web.flow.login.
InitialFlowSetupAction@
2357e4bc in state 'null' of flow 'login' -- action execution attributes were
'map[[empty]]'
Caused by: java.lang.NullPointerException
at org.apereo.cas.services.
GroovyRegisteredServiceAccessS
trategy.
isServiceAccessAllowed(
GroovyRegisteredServiceAccessS
trategy.java:49)
at org.apereo.cas.web.flow.login.
InitialFlowSetupAction.
configureWebflowContextForServ
ice(InitialFlowSetupAction.
java:62)
at org.apereo.cas.web.flow.login.
InitialFlowSetupAction.
doExecute(
InitialFlowSetupAction.java:
51)
at org.springframework.webflow.
action.AbstractAction.execute(
AbstractAction.java:188)
at sun.reflect.
GeneratedMethodAccessor447.
invoke(Unknown Source)
at sun.reflect.
DelegatingMethodAccessorImpl.
invoke(
DelegatingMethodAccessorImpl.
java:43)
at java.lang.reflect.Method.
invoke(Method.java:498)
at org.springframework.util.
ReflectionUtils.invokeMethod(
ReflectionUtils.java:216)
at org.springframework.cloud.
context.scope.GenericScope$
LockedScopedProxyFactoryBean.
invoke(GenericScope.java:470)
at org.springframework.aop.
framework.
ReflectiveMethodInvocation.
proceed(
ReflectiveMethodInvocation.
java:179)
at org.springframework.aop.
framework.JdkDynamicAopProxy.
invoke(JdkDynamicAopProxy.
java:213)
at com.sun.proxy.$Proxy376.
execute(Unknown Source)
at org.springframework.webflow.
execution.ActionExecutor.
execute(ActionExecutor.java:
51)
... 100 more
I'd like to set some attributes required and redirection url.
For example if the account attribute = Active, i'll be able to join the service
but
if the account attribute = blocked, i'll be redirect to
https://blocked-acc.html<https://blocked.acc.html>
or
if the account attribute = waiting, i'll be redirect to
https://waiting-acc/html<https://waiting.acc/html>
I'm new to groovy and I dont understand the issue, May I have some help pls?
Regards,
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/04e964119807d365daab22026a7ac85e8c079088.camel%40uvic.ca.
