Debian,
The service entry looks fine. Make sure the id value is unique and make sure
the evaluation order allows it to be accessed,
https://apereo.github.io/cas/6.0.x/services/Service-Management.html
The logs you provided do not have anything about not being able to access
blocked.html
What happens after the 'constructor atguments' log line?
More logs are always better.
It could be that your service registry is not being picked up. Is the
cas-management app on the cas.univ.com host?
You can see what services are being loaded:
<!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO]
DEBUG Adding registered service [service URL] -->
<AsyncLogger name="org.apereo.cas.services.AbstractServicesManager"
level="debug" />
Ray
On Thu, 2019-06-06 at 06:40 -0700, Debian HNT wrote:
Ray,
I think the problem comes from the registration of the url
https://cas.univ.com/blocked.html to cas<https://cas-univ.com/blocked.html>
I tried to redirect to a registered service like cas-management page and its
worked.
So I tried to register
https://cas.univ.com/help/blocked.html<https://cas-univ.com/blocked.html> like
that
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" :
"^https://cas.univ.com/help(\\z|/.*)<https://cas-univ.com/help(%5C%5Cz%7C/.*)>",
"name" : "blocked url",
"id" : 1559825188,
"description" : "Blocked URL"
}
but it doesnt work... here's the logs
>
2019-06-06 15:05:23,393 WARN
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant
access to service [https://cas.univ.com/cas/status/dashboard] because it is not
authorized for use by [student1.stu].>
2019-06-06 15:05:23,393 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: [result=Service Access
Denied,service=https://cas.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu,
attributes={udlAccountStatus=[Active],
supannAliasLogin=[student1.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Jun 06 15:05:23 CEST 2019
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
>
2019-06-06 15:05:23,394 WARN
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
<Unauthorized service access for principal; CAS will be redirecting to
[https://cas.univ.com/help/blocked.html]>
2019-06-06 15:05:24,423 DEBUG [org.apereo.cas.util.scripting.ScriptingUtils] -
<Preparing constructor arguments [[]] for resource [file
[/etc/cas/config/access-strategy.groovy]]>
Is my registered service incorrectly configured?
Regards,,,
Set the logger to be more general:
<AsyncLogger name="org.apereo.cas.services" level="debug"/>
or better, set all of cas to log at debug:
<AsyncLogger name="org.apereo.cas" level="debug"/>
Try using logger.error.
See
https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script
I am not sure about importing as I have not used groovy scripting.
It is important that your code writes to the log to capture the sequence of
method calls.
Ray
On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote:
This line doesnt work, do I have to import some package?
log.error("doPrincipalAttributesAllowServiceAccess: " +
attributes.get('udlAccountStatus'))
So I wrote this to exit the state of accountStatus
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
File file = new File("/tmp/cas")
file.append(this.accountStatus)
this debug return nothing
<AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy"
level="debug"/>
I don't have access to the server atm, I'll send u the rest of logs tomwr
Regards,
Debian,
Post all the relevant debug logs, ideally with logging from your code.
Need to see what CAS and your code is thinking, _and_ when it is executing.
Ray
On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote:
Ray,
There is two states
1st connection : "Service access denied due to missing privileges"
2nd connection :"Application Not Authorized to Use CAS" + message log "CAS will
be redirecting to... https://blocke.html";
I'm running out of ideas...
Regards,
Ray,
waiting.html isnt protected by a CAS client..
I tried to register it as a CAS services with the cas management app but it
doesnt change anything.
Network browser traffic display error 401.
it's weird, for the simple redirection it works the url is well displayed, but
for the dynamic redirection it doesn't. In the logs we can see that we will be
redirected but in reality not
Regards..
Debian,
Is waiting.html protected by a CAS client?
The 'not authorized' message shows in CAS when an application redirects to CAS
but is not in CAS services. Check your browser network traffic to see the
redirects.
Ray
On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote:
Ray,
UPDATE
I wrote my own logs by redirecting to a file to see if this.accountStatus
recovers the correct state
like this
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
File file = new File("/tmp/cas")
file.append(this.accountStatus)
So in my toto file I have the waiting status
====================================================
GNU nano 2.7.4 File : /tmp/cas
Waiting
====================================================
When Im trying to connect :
2019-06-04 11:42:20,415 WARN
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
<Unauthorized service access for principal; CAS will be redirecting to
[https://cas-univ.com/waiting.html)]>
So it sounds good but the page doesnt redirect to the url and display
"Application Not Authorized to Use CAS"
any suggestion?
Regards,
Ray,
Theses lines do not return anything in my logs...
I thought my file wasnt up but it is because the ldaptive debug is generated...
I dunno whats happening
regards,
Debian,
Add this to your log4j2.xml
<AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/>
replacing 'package' with the package of your class.
Add this as the first line of doPrincipalAttributesAllowServiceAccess method:
log.error("doPrincipalAttributesAllowServiceAccess: " +
attributes.get('udlAccountStatus'))
Log level does not have to be 'error', but this way it will definitely show in
the logs and 'should be' the only ERROR listed.
This way you will know when/if your method is called and the value of
udlAccountStatus.
Ray
On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote:
Ray,
In my log4j2.xml I have this
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
<AsyncLogger
name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
level="debug"/>
When access is granted I have this in my logs
8430:2019-06-03 14:13:39,963 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [student1.stu] accessing
service [https://castete.univ.com/cas/status/dashboard] defined by registered
service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8431:2019-06-03 14:13:39,972 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [student1.stu]>
8432:2019-06-03 14:13:39,973 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Using principal attribute repository [DefaultPrincipalAttributesRepository()]
to retrieve attributes>
8433:2019-06-03 14:13:39,974 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{supannAliasLogin=[student1.stu],
udlAccountStatus=[Active]}] for [student1.stu]>
8434:2019-06-03 14:13:39,976 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
attributes for [student1.stu]>
8435:2019-06-03 14:13:39,977 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
[{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
[student1.stu>
8436:2019-06-03 14:13:39,984 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
8437:2019-06-03 14:13:39,984 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
8438:2019-06-03 14:13:39,985 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if any>
8439:2019-06-03 14:13:39,988 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
8440:2019-06-03 14:13:39,993 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
8441:2019-06-03 14:13:39,993 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding default attributes first to the released set of attributes>
8442:2019-06-03 14:13:39,994 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
8443:2019-06-03 14:13:39,994 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [student1.stu] accessing
service [https://castete.univ.com/cas/status/dashboard] defined by registered
service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8444:2019-06-03 14:13:39,994 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu],
udlAccountStatus=[Active]}]>
8430:2019-06-03 14:13:39,963 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [student1.stu] accessing
service [https://castete.univ.com/cas/status/dashboard] defined by registered
service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8431:2019-06-03 14:13:39,972 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [student1.stu]>
8432:2019-06-03 14:13:39,973 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Using principal attribute repository [DefaultPrincipalAttributesRepository()]
to retrieve attributes>
8433:2019-06-03 14:13:39,974 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{supannAliasLogin=[student1.stu],
udlAccountStatus=[Active]}] for [student1.stu]>
8434:2019-06-03 14:13:39,976 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
attributes for [student1.stu]>
8435:2019-06-03 14:13:39,977 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
[{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
[student1.stu]>
8436:2019-06-03 14:13:39,984 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
8437:2019-06-03 14:13:39,984 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
8438:2019-06-03 14:13:39,985 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if any>
8439:2019-06-03 14:13:39,988 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
8440:2019-06-03 14:13:39,993 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
8441:2019-06-03 14:13:39,993 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding default attributes first to the released set of attributes>
8442:2019-06-03 14:13:39,994 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
8443:2019-06-03 14:13:39,994 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [student1.stu] accessing
service [https://castete.univ.com/cas/status/dashboard] defined by registered
service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8444:2019-06-03 14:13:39,994 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu],
udlAccountStatus=[Active]}]>
But when I try to test my waiting/blocked acc access is denied. In my logs I
just have ldaptive DEBUG
2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] -
<Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com>
2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate
response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://ldap.univ.com<http://ldap.univ.com>,
connectTimeout=PT5S, responseTimeout=PT5S,
sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null,
trustManagers=null,
hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982,
hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com,
bindSaslConfig=null, bindControls=null],
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://ldap.univ.com<http://ldap.univ.com>,
count=1],
environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
classLoader=null,
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde],
result=true, resultCode=SUCCESS, message=null, controls=null] for
dn=uid=82853,ou=accounts,dc=univ,dc=com with
request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu,
context=null], returnAttributes=[udlAccountStatus, supannAliasLogin],
controls=null]>
2019-06-03 14:50:45,675 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: Supplied credentials: [UsernamePasswordCredential(username=student1.stu)]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Jun 03 14:50:45 CEST 2019
CLIENT IP ADDRESS: 134.206.4.15
SERVER IP ADDRESS: 194.254.129.15
=============================================================
>
2019-06-03 14:50:45,677 WARN
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant
access to service [https://castete.univ.com/cas/status/dashboard] because it is
not authorized for use by [student1.stu].>
2019-06-03 14:50:45,678 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: [result=Service Access
Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu,
attributes={udlAccountStatus=[Active],
supannAliasLogin=[student1.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Jun 03 14:50:45 CEST 2019
CLIENT IP ADDRESS: 134.206.4.15
SERVER IP ADDRESS: 194.254.129.15
=============================================================
Dont know if I have configured logs correctly because I dont see whats
happening when access is denied...
thanks for your time...
Debian,
Ray,
Thanks a lot for your response.
If it is neither 'blocked' nor 'waiting' access should be granted
Debian,
Debian,
To know what is happening in your code, add logging statements!!!
If you modify your code, you have to remember to un-modify it. Too easy to
forget a change and release to production.
I have not used groovy scripting in CAS. Can you write unit tests? This will
let you know that your logic is correct.
Logging and unit tests can both be permanent in your code base. Logging can be
adjusted at runtime (log4j2.xml) in case an unexpected behaviour shows up.
If you are going to test runtime behaviour (different redirects) you should
have need test users with appropriate attributes (at least 3 in your case). Or
modify one user at the attribute store.
Testing is important! Make sure you have all the parts you need.
As far as why the code is not working, is it possible that
getUnauthorizedRedirectUrl is called before
doPrincipalAttributesAllowServiceAccess? You can check this with logging (easy
way) or trace the method calls in CAS source (more challenging).
In getUnauthorizedRedirectUrl, there is no default case. What happens if it is
neither 'Blocked' nor 'Waiting'?
Ray
On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote:
Hi Ray,
I'm trying to implement dynamic url redirect, here's my code :
import org.apereo.cas.services.*
import java.util.*
import java.net.URI
class GroovyRegisteredAccessStrategy extends
DefaultRegisteredServiceAccessStrategy {
final String accountStatus
@Override
boolean isServiceAccessAllowed() {
return true
}
@Override
boolean isServiceAccessAllowedForSso() {
return true
}
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attribu$
if(attributes.get('udlAccountStatus').contains('Active')) {
this.accountStatus == 'Active'
return true
} else if (attributes.get('udlAccountStatus').contains('Waiting')) {
this.accountStatus == 'Waiting'
return false
} else if (attributes.get('udlAccountStatus').contains('Blocked')) {
this.accountStatus == 'Blocked'
return false
} else {
return false
}
}
@Override
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
return new URI('https://cas-univ.com/blocked.html')
} else if (this.accountStatus == 'Waiting') {
return new URI('https://cas-univ.com/waiting.html')
}
}
}
For Active account it works, but when I try waiting or blocked account, my
access is denied (CAS message, no erros logs). I don't have a blocked/waiting
account so I set my code like this to try :
@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal,
Map<String, Object> attribu$
if(attributes.get('udlAccountStatus').contains('Active')) {
this.accountStatus == 'Waiting'
return false
} else if (attributes.get('udlAccountStatus').contains('Waiting)) {
this.accountStatus == 'Waiting'
return false
} else if (attributes.get('udlAccountStatus').contains('Blocked')) {
this.accountStatus == 'Blocked'
return false
} else {
return false
}
}
@Override
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
return new URI('https://cas-univ.com/blocked.html')
} else if (this.accountStatus == 'Waiting') {
return new URI('https://cas-univ.com/waiting.html')
}
}
}
any suggest? is my code correct?
Thanks in advance..
Hi Ray,
Thanks for your response and idea, I managed to make it work !
Best regards,
Debian,
'Principal' is what the logged in user is called. Think of it as a box
containing id, attributes, etc.
Ray
On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote:
Hi Ray,
It is a message that CAS is displaying "Service access denied due to missing
privileges."
Here's the logs
2019-05-27 13:02:15,646 WARN
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
<Unauthorized service access for principal; CAS will be redirecting to
[https://castete.univ.com/aide/blocked.html]>
2019-05-27 13:02:53,173 WARN
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant
access to service [https://castete.univ.com/cas/status/dashboard] because it is
not authorized for use by [student.stu].>
2019-05-27 13:02:53,174 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Denied,service=<a
href="https://castete.univ.com/cas/sta.."; rel="nofollow" target="_blank"
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fcastete.univ.com%2Fcas%2Fsta.<https://www.google.com/url?q%5Cx3dhttps%3A%2F%2Fcastete.univ.com%2Fcas%2Fsta.>.\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMrmnnfS23DGhW7lrC8IVAj736-A';return
true;" onclick="this.href='https://www.googl
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a31513bde777fb4758192be5639cea19134398e6.camel%40uvic.ca.
