Ray,
Thanks a lot for your response.
If it is neither 'blocked' nor 'waiting' access should be granted
Debian,
Debian,
>
> To know what is happening in your code, add logging statements!!!
>
> If you modify your code, you have to remember to un-modify it. Too easy to
> forget a change and release to production.
>
> I have not used groovy scripting in CAS. Can you write unit tests? This
> will let you know that your logic is correct.
> Logging and unit tests can both be permanent in your code base. Logging
> can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour
> shows up.
>
> If you are going to test runtime behaviour (different redirects) you should
> have need test users with appropriate attributes (at least 3 in your
> case). Or modify one user at the attribute store.
>
> Testing is important! Make sure you have all the parts you need.
>
> As far as why the code is not working, is it possible that
> getUnauthorizedRedirectUrl is called before
> doPrincipalAttributesAllowServiceAccess? You can check this with logging
> (easy way) or trace the method calls in CAS source (more challenging).
>
> In getUnauthorizedRedirectUrl, there is no default case. What happens if
> it is neither 'Blocked' nor 'Waiting'?
>
> Ray
>
> On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote:
>
> Hi Ray,
>
> I'm trying to implement dynamic url redirect, here's my code :
>
> import org.apereo.cas.services.*
> import java.util.*
> import java.net.URI
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> final String accountStatus
>
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Active'
> return true
> } else if
> (attributes.get('udlAccountStatus').contains('Waiting')) {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
>
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> For Active account it works, but when I try waiting or blocked account, my
> access is denied (CAS message, no erros logs). I don't have a
> blocked/waiting account so I set my code like this to try :
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Waiting'
> return false
> } else if (attributes.get('udlAccountStatus').contains('Waiting))
> {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> any suggest? is my code correct?
>
>
> Thanks in advance..
>
>
> Hi Ray,
>
> Thanks for your response and idea, I managed to make it work !
>
> Best regards,
>
> Debian,
>
> 'Principal' is what the logged in user is called. Think of it as a box
> containing id, attributes, etc.
>
> Ray
>
> On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote:
>
>
> Hi Ray,
>
> It is a message that CAS is displaying "Service access denied due to
> missing privileges."
>
>
> Here's the logs
>
> 2019-05-27 13:02:15,646 WARN
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
> <Unauthorized service access for principal; CAS will be redirecting to [
> https://castete.univ.com/aide/blocked.html]>
> 2019-05-27 13:02:53,173 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student.stu].>
> 2019-05-27 13:02:53,174 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=
> student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=
> [student.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon May 27 13:02:53 CEST 2019
>
> I feel like the code doesnt work because my student.stu has his
> udlAccountStatus to Active so I should access to the service?
> Can you explain me the "String principal"? not sure if I understand
> correctly...
>
> thanks for your time,
>
> Debian,
>
> When you say 'access is denied', is that a message that CAS is displaying
> or is that your service (admusers.properties sounds like your service)?
>
> Check CAS logs to see what is happening (you may need to add logging to
> you custom code).
>
> Ray
>
> On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
>
> Hello Ray,
>
> Thanks for your answer, the conf seems to be ok, I can access to the log
> in page of the service but when I try to connect with my ID, the access is
> denied.
> Before using groovy script I was able to access the service... I've
> checked my admusers.properties and my account is set to ROLE_ADMIN
>
> The boolean isServiceAccessAllowed is "return true"
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> Thanks in advance
>
> Debian,
>
> Skip the for loop. If you know the attribute key, check it directly (sorry
> about the use of map in my previous example):
>
> if ('Active' == attributes.get('udlAccountStatus'))
>
>
> Also, from a programming perspective, entrySet returns a
> Set<Map.Entry<String, Object>>.
>
> Ray
>
> On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote:
>
> Ray,
>
> Excuse me for the inconvenience but I still have errors...
>
> I've tried your syntax
>
> import org.apereo.cas.services.*
> import java.util.*
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == map.get('udlAccountStatus')) {return true}
> else
> {return false}
> }
> }
>
> }
>
> I have this error
> 2019-05-23 15:46:04,201 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No such property: map for class: GroovyRegisteredAccessStrategy>
> groovy.lang.MissingPropertyException: No such property: map for class:
> GroovyRegisteredAccessStrategy
>
> I've tried this
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == entry.getKey('udlAccountStatus')) {return
> true}
> else
> {return false}
> }
> }
>
> }
> but I have this error
> 2019-05-23 15:38:52,086 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is
> applicable for argument types: (java.lang.String) values: [udlAccountStatus]
> Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(),
> every(), every(groovy.lang.Closure)>
>
> When I try to use the Possible solutions with getKey()
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == getKey('udlAccountStatus')) {return true}
> else
> {return false}
> }
> }
>
> }
> I have this error
>
> 2019-05-23 15:45:03,124 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is
> applicable for argument types: (java.lang.String) values: [udlAccountStatus]
> Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(),
> every(), every(groovy.lang.Closure)>
>
>
> any suggestions?
>
> Thanks in advance...
>
> Debian,
>
> I should have looked closer at your method logic.
> From the method name I suspect that method checks an attribute to
> determine service access. This is what you originally proposed 'attribute =
> Active'.
>
> You will need to know what attributes you have. You can add logging to the
> method or increase logging in general:
>
> <!-- DEBUG Found principal attributes [...] for [username]
> Attribute policy [???] allows release of [...] for
> [username]
> Final collection of attributes allowed are: [...] -->
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
>
> I also have this in my logging config:
>
> <!-- DEBUG Skipping access strategy policy - when no attributes
> rules are defined
> These required attributes [...] are examined against
> [...] before service can proceed - when attrubutes are defined -->
> <AsyncLogger
> name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
> level="warn"/>
>
> Because CAS can perform the access / deny part of your requirements.
> Service configuration can set an attribute and a value that a user must
> have to allow access.
> Since you are trying to modify the redirect URL (you have a third option),
> you might have to modify the web flow.
>
> In general, for your method you will have a check like this
>
> if ('Active' == map.get('attribute')) {return true}
>
> Ray
>
> On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote:
>
> Ray,
> Thanks for your answer!
>
> I've changed the variable to attributes but it doesnt repair the issue.
> I dont understand how to set principal to my attribute : account and how
> to configure the map to active/blocked/waiting?
> I'm not sure if I cleary understand the function...
>
> Thank u in advance...
>
>
> Debian,
>
> In doPrincipal..., you are using a variable called 'map' but the variable
> is 'attributes'.
>
> Ray
>
> On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:
>
> Hello guys,
>
> I'm still trying to configure a groovy script for access strategy but I
> have some errors
>
> Here's my access-strategy.groovy
>
>
> import org.apereo.cas.services.*
> import java.util.*
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : map.entrySet()){
> if (entry.getKey().equals(principal)){
> return true
> }
> }
> return false
> }
> }
>
> @Override
> java.net.URI getUnauthorizedRedirectUrl(){
> return "https://blocked-acc.html";
> }
> }
>
>
>
> org.springframework.webflow.
>
> execution.
>
> ActionExecutionException: Exception thrown executing
> org.apereo.cas.web.flow.login.
>
> InitialFlowSetupAction@
>
> 2357e4bc in state 'null' of flow 'login' -- action execution attributes were
> 'map[[empty]]'
>
>
> Caused by: java.lang.NullPointerException
>
> at org.apereo.cas.services.
>
> GroovyRegisteredServiceAccessS
>
> trategy.
>
> isServiceAccessAllowed(
>
> GroovyRegisteredServiceAccessS
>
> trategy.java:49)
>
> at org.apereo.cas.web.flow.login.
>
> InitialFlowSetupAction.
>
> configureWebflowContextForServ
>
> ice(InitialFlowSetupAction.
>
> java:62)
>
> at org.apereo.cas.web.flow.login.
>
> InitialFlowSetupAction.
>
> doExecute(
>
> InitialFlowSetupAction.java:
>
> 51)
>
> at org.springframework.webflow.
>
> action.AbstractAction.execute(
>
> AbstractAction.java:188)
>
> at sun.reflect.
>
> GeneratedMethodAccessor447.
>
> invoke(Unknown Source)
>
> at sun.reflect.
>
> DelegatingMethodAccessorImpl.
>
> invoke(
>
> DelegatingMethodAccessorImpl.
>
> java:43)
>
> at java.lang.reflect.Method.
>
> invoke(Method.java:498)
>
> at org.springframework.util.
>
> ReflectionUtils.invokeMethod(
>
> ReflectionUtils.java:216)
>
> at org.springframework.cloud.
>
> context.scope.GenericScope$
>
> LockedScopedProxyFactoryBean.
>
> invoke(GenericScope.java:470)
>
> at org.springframework.aop.
>
> framework.
>
> ReflectiveMethodInvocation.
>
> proceed(
>
> ReflectiveMethodInvocation.
>
> java:179)
>
> at org.springframework.aop.
>
> framework.JdkDynamicAopProxy.
>
> invoke(JdkDynamicAopProxy.
>
> java:213)
>
> at com.sun.proxy.$Proxy376.
>
> execute(Unknown Source)
>
> at org.springframework.webflow.
>
> execution.ActionExecutor.
>
> execute(ActionExecutor.java:
>
> 51)
>
> ... 100 more
>
>
>
>
> I'd like to set some attributes required and redirection url.
>
> For example if the account attribute = Active, i'll be able to join the
> service
>
> but
>
> if the account attribute = blocked, i'll be redirect to
> https://blocked-acc.html <https://blocked.acc.html>
>
> or
>
> if the account attribute = waiting, i'll be redirect to
> https://waiting-acc/html <https://waiting.acc/html>
>
> I'm new to groovy and I dont understand the issue, May I have some help
> pls?
>
> Regards,
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdff0ea8-bac8-4812-9eaf-a02df1aad7f3%40apereo.org.
