Debian,
To know what is happening in your code, add logging statements!!!
If you modify your code, you have to remember to un-modify it. Too easy to
forget a change and release to production.
I have not used groovy scripting in CAS. Can you write unit tests? This will
let you know that your logic is correct.
Logging and unit tests can both be permanent in your code base. Logging can be
adjusted at runtime (log4j2.xml) in case an unexpected behaviour shows up.
If you are going to test runtime behaviour (different redirects) you should
have need test users with appropriate attributes (at least 3 in your case). Or
modify one user at the attribute store.
Testing is important! Make sure you have all the parts you need.
As far as why the code is not working, is it possible that
getUnauthorizedRedirectUrl is called before
doPrincipalAttributesAllowServiceAccess? You can check this with logging (easy
way) or trace the method calls in CAS source (more challenging).
In getUnauthorizedRedirectUrl, there is no default case. What happens if it is
neither 'Blocked' nor 'Waiting'?
Ray
On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote:
Hi Ray,
I'm trying to implement dynamic url redirect, here's my code :
import org.apereo.cas.services.*
import java.util.*
import java.net.URI
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
final String accountStatus
@Override
boolean isServiceAccessAllowed() {
return true
}
@Override
boolean isServiceAccessAllowedForSso() {
return true
}
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attribu$
if(attributes.get('udlAccountStatus').contains('Active')) {
this.accountStatus == 'Active'
return true
} else if (attributes.get('udlAccountStatus').contains('Waiting')) {
this.accountStatus == 'Waiting'
return false
} else if (attributes.get('udlAccountStatus').contains('Blocked')) {
this.accountStatus == 'Blocked'
return false
} else {
return false
}
}
@Override
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
return new URI('https://cas-univ.com/blocked.html')
} else if (this.accountStatus == 'Waiting') {
return new URI('https://cas-univ.com/waiting.html')
}
}
}
For Active account it works, but when I try waiting or blocked account, my
access is denied (CAS message, no erros logs). I don't have a blocked/waiting
account so I set my code like this to try :
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attribu$
if(attributes.get('udlAccountStatus').contains('Active')) {
this.accountStatus == 'Waiting'
return false
} else if (attributes.get('udlAccountStatus').contains('Waiting)) {
this.accountStatus == 'Waiting'
return false
} else if (attributes.get('udlAccountStatus').contains('Blocked')) {
this.accountStatus == 'Blocked'
return false
} else {
return false
}
}
@Override
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
return new URI('https://cas-univ.com/blocked.html')
} else if (this.accountStatus == 'Waiting') {
return new URI('https://cas-univ.com/waiting.html')
}
}
}
any suggest? is my code correct?
Thanks in advance..
Hi Ray,
Thanks for your response and idea, I managed to make it work !
Best regards,
Debian,
'Principal' is what the logged in user is called. Think of it as a box
containing id, attributes, etc.
Ray
On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote:
Hi Ray,
It is a message that CAS is displaying "Service access denied due to missing
privileges."
Here's the logs
2019-05-27 13:02:15,646 WARN
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
<Unauthorized service access for principal; CAS will be redirecting to
[https://castete.univ.com/aide/blocked.html]>
2019-05-27 13:02:53,173 WARN
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant
access to service [https://castete.univ.com/cas/status/dashboard] because it is
not authorized for use by [student.stu].>
2019-05-27 13:02:53,174 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student.stu,
attributes={udlAccountStatus=[Active],
supannAliasLogin=[student.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 27 13:02:53 CEST 2019
I feel like the code doesnt work because my student.stu has his
udlAccountStatus to Active so I should access to the service?
Can you explain me the "String principal"? not sure if I understand correctly...
thanks for your time,
Debian,
When you say 'access is denied', is that a message that CAS is displaying or is
that your service (admusers.properties sounds like your service)?
Check CAS logs to see what is happening (you may need to add logging to you
custom code).
Ray
On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
Hello Ray,
Thanks for your answer, the conf seems to be ok, I can access to the log in
page of the service but when I try to connect with my ID, the access is denied.
Before using groovy script I was able to access the service... I've checked my
admusers.properties and my account is set to ROLE_ADMIN
The boolean isServiceAccessAllowed is "return true"
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}
Thanks in advance
Debian,
Skip the for loop. If you know the attribute key, check it directly (sorry
about the use of map in my previous example):
if ('Active' == attributes.get('udlAccountStatus'))
Also, from a programming perspective, entrySet returns a Set<Map.Entry<String,
Object>>.
Ray
On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote:
Ray,
Excuse me for the inconvenience but I still have errors...
I've tried your syntax
import org.apereo.cas.services.*
import java.util.*
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}
@Override
boolean isServiceAccessAllowedForSso() {
return true
}
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : attributes.entrySet()){
if ('Active' == map.get('udlAccountStatus')) {return true}
else
{return false}
}
}
}
I have this error
2019-05-23 15:46:04,201 WARN
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No such property: map for class: GroovyRegisteredAccessStrategy>
groovy.lang.MissingPropertyException: No such property: map for class:
GroovyRegisteredAccessStrategy
I've tried this
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : attributes.entrySet()){
if ('Active' == entry.getKey('udlAccountStatus')) {return true}
else
{return false}
}
}
}
but I have this error
2019-05-23 15:38:52,086 WARN
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No signature of method: java.util.LinkedHashMap$Entry.getKey() is
applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(),
every(), every(groovy.lang.Closure)>
When I try to use the Possible solutions with getKey()
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : attributes.entrySet()){
if ('Active' == getKey('udlAccountStatus')) {return true}
else
{return false}
}
}
}
I have this error
2019-05-23 15:45:03,124 WARN
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
- <No signature of method: GroovyRegisteredAccessStrategy.getKey() is
applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(),
every(), every(groovy.lang.Closure)>
any suggestions?
Thanks in advance...
Debian,
I should have looked closer at your method logic.
>From the method name I suspect that method checks an attribute to determine
>service access. This is what you originally proposed 'attribute = Active'.
You will need to know what attributes you have. You can add logging to the
method or increase logging in general:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
I also have this in my logging config:
<!-- DEBUG Skipping access strategy policy - when no attributes rules
are defined
These required attributes [...] are examined against [...]
before service can proceed - when attrubutes are defined -->
<AsyncLogger
name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
level="warn"/>
Because CAS can perform the access / deny part of your requirements. Service
configuration can set an attribute and a value that a user must have to allow
access.
Since you are trying to modify the redirect URL (you have a third option), you
might have to modify the web flow.
In general, for your method you will have a check like this
if ('Active' == map.get('attribute')) {return true}
Ray
On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote:
Ray,
Thanks for your answer!
I've changed the variable to attributes but it doesnt repair the issue.
I dont understand how to set principal to my attribute : account and how to
configure the map to active/blocked/waiting?
I'm not sure if I cleary understand the function...
Thank u in advance...
Debian,
In doPrincipal..., you are using a variable called 'map' but the variable is
'attributes'.
Ray
On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:
Hello guys,
I'm still trying to configure a groovy script for access strategy but I have
some errors
Here's my access-strategy.groovy
import org.apereo.cas.services.*
import java.util.*
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}
@Override
boolean isServiceAccessAllowedForSso() {
return true
}
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attributes) {
for (Map.Entry<String, Object> entry : map.entrySet()){
if (entry.getKey().equals(principal)){
return true
}
}
return false
}
}
@Override
java.net.URI getUnauthorizedRedirectUrl(){
return "https://blocked-acc.html";
}
}
org.springframework.webflow.
execution.
ActionExecutionException: Exception thrown executing
org.apereo.cas.web.flow.login.
InitialFlowSetupAction@
2357e4bc in state 'null' of flow 'login' -- action execution attributes were
'map[[empty]]'
Caused by: java.lang.NullPointerException
at org.apereo.cas.services.
GroovyRegisteredServiceAccessS
trategy.
isServiceAccessAllowed(
GroovyRegisteredServiceAccessS
trategy.java:49)
at org.apereo.cas.web.flow.login.
InitialFlowSetupAction.
configureWebflowContextForServ
ice(InitialFlowSetupAction.
java:62)
at org.apereo.cas.web.flow.login.
InitialFlowSetupAction.
doExecute(
InitialFlowSetupAction.java:
51)
at org.springframework.webflow.
action.AbstractAction.execute(
AbstractAction.java:188)
at sun.reflect.
GeneratedMethodAccessor447.
invoke(Unknown Source)
at sun.reflect.
DelegatingMethodAccessorImpl.
invoke(
DelegatingMethodAccessorImpl.
java:43)
at java.lang.reflect.Method.
invoke(Method.java:498)
at org.springframework.util.
ReflectionUtils.invokeMethod(
ReflectionUtils.java:216)
at org.springframework.cloud.
context.scope.GenericScope$
LockedScopedProxyFactoryBean.
invoke(GenericScope.java:470)
at org.springframework.aop.
framework.
ReflectiveMethodInvocation.
proceed(
ReflectiveMethodInvocation.
java:179)
at org.springframework.aop.
framework.JdkDynamicAopProxy.
invoke(JdkDynamicAopProxy.
java:213)
at com.sun.proxy.$Proxy376.
execute(Unknown Source)
at org.springframework.webflow.
execution.ActionExecutor.
execute(ActionExecutor.java:
51)
... 100 more
I'd like to set some attributes required and redirection url.
For example if the account attribute = Active, i'll be able to join the service
but
if the account attribute = blocked, i'll be redirect to
https://blocked-acc.html<https://blocked.acc.html>
or
if the account attribute = waiting, i'll be redirect to
https://waiting-acc/html<https://waiting.acc/html>
I'm new to groovy and I dont understand the issue, May I have some help pls?
Regards,
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe1d8424ca3c9f984919f74ff4749e63190d1cb3.camel%40uvic.ca.
