Debian, 'Principal' is what the logged in user is called. Think of it as a box containing id, attributes, etc.
Ray On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote: Hi Ray, It is a message that CAS is displaying "Service access denied due to missing privileges." Here's the logs 2019-05-27 13:02:15,646 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://castete.univ.com/aide/blocked.html]> 2019-05-27 13:02:53,173 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student.stu].> 2019-05-27 13:02:53,174 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student.stu]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Mon May 27 13:02:53 CEST 2019 I feel like the code doesnt work because my student.stu has his udlAccountStatus to Active so I should access to the service? Can you explain me the "String principal"? not sure if I understand correctly... thanks for your time, Debian, When you say 'access is denied', is that a message that CAS is displaying or is that your service (admusers.properties sounds like your service)? Check CAS logs to see what is happening (you may need to add logging to you custom code). Ray On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote: Hello Ray, Thanks for your answer, the conf seems to be ok, I can access to the log in page of the service but when I try to connect with my ID, the access is denied. Before using groovy script I was able to access the service... I've checked my admusers.properties and my account is set to ROLE_ADMIN The boolean isServiceAccessAllowed is "return true" class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy { @Override boolean isServiceAccessAllowed() { return true } Thanks in advance Debian, Skip the for loop. If you know the attribute key, check it directly (sorry about the use of map in my previous example): if ('Active' == attributes.get('udlAccountStatus')) Also, from a programming perspective, entrySet returns a Set<Map.Entry<String, Object>>. Ray On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote: Ray, Excuse me for the inconvenience but I still have errors... I've tried your syntax import org.apereo.cas.services.* import java.util.* class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy { @Override boolean isServiceAccessAllowed() { return true } @Override boolean isServiceAccessAllowedForSso() { return true } @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) { for (Map.Entry<String, Object> entry : attributes.entrySet()){ if ('Active' == map.get('udlAccountStatus')) {return true} else {return false} } } } I have this error 2019-05-23 15:46:04,201 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No such property: map for class: GroovyRegisteredAccessStrategy> groovy.lang.MissingPropertyException: No such property: map for class: GroovyRegisteredAccessStrategy I've tried this @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) { for (Map.Entry<String, Object> entry : attributes.entrySet()){ if ('Active' == entry.getKey('udlAccountStatus')) {return true} else {return false} } } } but I have this error 2019-05-23 15:38:52,086 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is applicable for argument types: (java.lang.String) values: [udlAccountStatus] Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(), every(), every(groovy.lang.Closure)> When I try to use the Possible solutions with getKey() @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) { for (Map.Entry<String, Object> entry : attributes.entrySet()){ if ('Active' == getKey('udlAccountStatus')) {return true} else {return false} } } } I have this error 2019-05-23 15:45:03,124 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is applicable for argument types: (java.lang.String) values: [udlAccountStatus] Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(), every(), every(groovy.lang.Closure)> any suggestions? Thanks in advance... Debian, I should have looked closer at your method logic. >From the method name I suspect that method checks an attribute to determine >service access. This is what you originally proposed 'attribute = Active'. You will need to know what attributes you have. You can add logging to the method or increase logging in general: <!-- DEBUG Found principal attributes [...] for [username] Attribute policy [???] allows release of [...] for [username] Final collection of attributes allowed are: [...] --> <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/> I also have this in my logging config: <!-- DEBUG Skipping access strategy policy - when no attributes rules are defined These required attributes [...] are examined against [...] before service can proceed - when attrubutes are defined --> <AsyncLogger name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" level="warn"/> Because CAS can perform the access / deny part of your requirements. Service configuration can set an attribute and a value that a user must have to allow access. Since you are trying to modify the redirect URL (you have a third option), you might have to modify the web flow. In general, for your method you will have a check like this if ('Active' == map.get('attribute')) {return true} Ray On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote: Ray, Thanks for your answer! I've changed the variable to attributes but it doesnt repair the issue. I dont understand how to set principal to my attribute : account and how to configure the map to active/blocked/waiting? I'm not sure if I cleary understand the function... Thank u in advance... Debian, In doPrincipal..., you are using a variable called 'map' but the variable is 'attributes'. Ray On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote: Hello guys, I'm still trying to configure a groovy script for access strategy but I have some errors Here's my access-strategy.groovy import org.apereo.cas.services.* import java.util.* class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy { @Override boolean isServiceAccessAllowed() { return true } @Override boolean isServiceAccessAllowedForSso() { return true } @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) { for (Map.Entry<String, Object> entry : map.entrySet()){ if (entry.getKey().equals(principal)){ return true } } return false } } @Override java.net.URI getUnauthorizedRedirectUrl(){ return "https://blocked-acc.html"; } } org.springframework.webflow. execution. ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.login. InitialFlowSetupAction@ 2357e4bc in state 'null' of flow 'login' -- action execution attributes were 'map[[empty]]' Caused by: java.lang.NullPointerException at org.apereo.cas.services. GroovyRegisteredServiceAccessS trategy. isServiceAccessAllowed( GroovyRegisteredServiceAccessS trategy.java:49) at org.apereo.cas.web.flow.login. InitialFlowSetupAction. configureWebflowContextForServ ice(InitialFlowSetupAction. java:62) at org.apereo.cas.web.flow.login. InitialFlowSetupAction. doExecute( InitialFlowSetupAction.java: 51) at org.springframework.webflow. action.AbstractAction.execute( AbstractAction.java:188) at sun.reflect. GeneratedMethodAccessor447. invoke(Unknown Source) at sun.reflect. DelegatingMethodAccessorImpl. invoke( DelegatingMethodAccessorImpl. java:43) at java.lang.reflect.Method. invoke(Method.java:498) at org.springframework.util. ReflectionUtils.invokeMethod( ReflectionUtils.java:216) at org.springframework.cloud. context.scope.GenericScope$ LockedScopedProxyFactoryBean. invoke(GenericScope.java:470) at org.springframework.aop. framework. ReflectiveMethodInvocation. proceed( ReflectiveMethodInvocation. java:179) at org.springframework.aop. framework.JdkDynamicAopProxy. invoke(JdkDynamicAopProxy. java:213) at com.sun.proxy.$Proxy376. execute(Unknown Source) at org.springframework.webflow. execution.ActionExecutor. execute(ActionExecutor.java: 51) ... 100 more I'd like to set some attributes required and redirection url. For example if the account attribute = Active, i'll be able to join the service but if the account attribute = blocked, i'll be redirect to https://blocked-acc.html<https://blocked.acc.html> or if the account attribute = waiting, i'll be redirect to https://waiting-acc/html<https://waiting.acc/html> I'm new to groovy and I dont understand the issue, May I have some help pls? Regards, -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<javascript:> -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b55f3ba994e2f87130daaab0ffcfbab524b64467.camel%40uvic.ca.
