Debian, If getUnauthorizedRedirectUrl is called before doPrincipal, that is CAS behaviour. It would be difficult to change. You can customize the spring web flow. If you do the attribute check before the webflow redirects to the unauthorized URL, you should have the attributes and could change the value of the URL. See https://apereo.github.io/cas/6.0.x/webflow/Webflow-Customization-Extensions.html
Ray On Fri, 2019-06-07 at 01:29 -0700, Debian HNT wrote: Ray, I think I understood the problem. I put some logs to retrieve state of accountStatus. At the 1st connection the function doPrincipal has "Blocked" Function 1 : Blocked //1st connection Function 2 : Blocked //2nd connection Function 1 : Blocked //2nd connection but at the 2nd connection function getUnauthorizedRedirectUrl is executed before doPrincipal. So CAS dont have the attribute sate of doPrincipal, so Access is denied. Is it possible to retrieve attribute in getUnauthorizedRedirectUrl ?? I hope I've explained the problem well... Regards, Debian, The service entry looks fine. Make sure the id value is unique and make sure the evaluation order allows it to be accessed, https://apereo.github.io/cas/6.0.x/services/Service-Management.html The logs you provided do not have anything about not being able to access blocked.html What happens after the 'constructor atguments' log line? More logs are always better. It could be that your service registry is not being picked up. Is the cas-management app on the cas.univ.com<http://cas.univ.com> host? You can see what services are being loaded: <!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO] DEBUG Adding registered service [service URL] --> <AsyncLogger name="org.apereo.cas.services.AbstractServicesManager" level="debug" /> Ray On Thu, 2019-06-06 at 06:40 -0700, Debian HNT wrote: Ray, I think the problem comes from the registration of the url https://cas.univ.com/blocked.html to cas<https://cas-univ.com/blocked.html> I tried to redirect to a registered service like cas-management page and its worked. So I tried to register https://cas.univ.com/help/blocked.html<https://cas-univ.com/blocked.html> like that { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://cas.univ.com/help(\\z|/.*)<https://cas-univ.com/help(%5C%5Cz%7C/.*)>", "name" : "blocked url", "id" : 1559825188, "description" : "Blocked URL" } but it doesnt work... here's the logs > 2019-06-06 15:05:23,393 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://cas.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].> 2019-06-06 15:05:23,393 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: student1.stu WHAT: [result=Service Access Denied,service=https://cas.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Thu Jun 06 15:05:23 CEST 2019 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2019-06-06 15:05:23,394 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://cas.univ.com/help/blocked.html]> 2019-06-06 15:05:24,423 DEBUG [org.apereo.cas.util.scripting.ScriptingUtils] - <Preparing constructor arguments [[]] for resource [file [/etc/cas/config/access-strategy.groovy]]> Is my registered service incorrectly configured? Regards,,, Set the logger to be more general: <AsyncLogger name="org.apereo.cas.services" level="debug"/> or better, set all of cas to log at debug: <AsyncLogger name="org.apereo.cas" level="debug"/> Try using logger.error. See https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script I am not sure about importing as I have not used groovy scripting. It is important that your code writes to the log to capture the sequence of method calls. Ray On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote: This line doesnt work, do I have to import some package? log.error("doPrincipalAttributesAllowServiceAccess: " + attributes.get('udlAccountStatus')) So I wrote this to exit the state of accountStatus java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { File file = new File("/tmp/cas") file.append(this.accountStatus) this debug return nothing <AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy" level="debug"/> I don't have access to the server atm, I'll send u the rest of logs tomwr Regards, Debian, Post all the relevant debug logs, ideally with logging from your code. Need to see what CAS and your code is thinking, _and_ when it is executing. Ray On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote: Ray, There is two states 1st connection : "Service access denied due to missing privileges" 2nd connection :"Application Not Authorized to Use CAS" + message log "CAS will be redirecting to... https://blocke.html"; I'm running out of ideas... Regards, Ray, waiting.html isnt protected by a CAS client.. I tried to register it as a CAS services with the cas management app but it doesnt change anything. Network browser traffic display error 401. it's weird, for the simple redirection it works the url is well displayed, but for the dynamic redirection it doesn't. In the logs we can see that we will be redirected but in reality not Regards.. Debian, Is waiting.html protected by a CAS client? The 'not authorized' message shows in CAS when an application redirects to CAS but is not in CAS services. Check your browser network traffic to see the redirects. Ray On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote: Ray, UPDATE I wrote my own logs by redirecting to a file to see if this.accountStatus recovers the correct state like this java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { File file = new File("/tmp/cas") file.append(this.accountStatus) So in my toto file I have the waiting status ==================================================== GNU nano 2.7.4 File : /tmp/cas Waiting ==================================================== When Im trying to connect : 2019-06-04 11:42:20,415 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://cas-univ.com/waiting.html)]> So it sounds good but the page doesnt redirect to the url and display "Application Not Authorized to Use CAS" any suggestion? Regards, Ray, Theses lines do not return anything in my logs... I thought my file wasnt up but it is because the ldaptive debug is generated... I dunno whats happening regards, Debian, Add this to your log4j2.xml <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/> replacing 'package' with the package of your class. Add this as the first line of doPrincipalAttributesAllowServiceAccess method: log.error("doPrincipalAttributesAllowServiceAccess: " + attributes.get('udlAccountStatus')) Log level does not have to be 'error', but this way it will definitely show in the logs and 'should be' the only ERROR listed. This way you will know when/if your method is called and the value of udlAccountStatus. Ray On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote: Ray, In my log4j2.xml I have this <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/> <AsyncLogger name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" level="debug"/> When access is granted I have this in my logs 8430:2019-06-03 14:13:39,963 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8431:2019-06-03 14:13:39,972 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [student1.stu]> 8432:2019-06-03 14:13:39,973 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes> 8433:2019-06-03 14:13:39,974 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]> 8434:2019-06-03 14:13:39,976 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [student1.stu]> 8435:2019-06-03 14:13:39,977 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu> 8436:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes> 8437:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes> 8438:2019-06-03 14:13:39,985 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any> 8439:2019-06-03 14:13:39,988 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]> 8440:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]> 8441:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes> 8442:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes> 8443:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8444:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> 8430:2019-06-03 14:13:39,963 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8431:2019-06-03 14:13:39,972 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [student1.stu]> 8432:2019-06-03 14:13:39,973 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes> 8433:2019-06-03 14:13:39,974 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]> 8434:2019-06-03 14:13:39,976 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [student1.stu]> 8435:2019-06-03 14:13:39,977 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]> 8436:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes> 8437:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes> 8438:2019-06-03 14:13:39,985 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any> 8439:2019-06-03 14:13:39,988 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]> 8440:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]> 8441:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes> 8442:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes> 8443:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8444:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> But when I try to test my waiting/blocked acc access is denied. In my logs I just have ldaptive DEBUG 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] - <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com> 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://ldap.univ.com<http://ldap.univ.com>, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null, trustManagers=null, hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://ldap.univ.com<http://ldap.univ.com>, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde], result=true, resultCode=SUCCESS, message=null, controls=null] for dn=uid=82853,ou=accounts,dc=univ,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu, context=null], returnAttributes=[udlAccountStatus, supannAliasLogin], controls=null]> 2019-06-03 14:50:45,675 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: student1.stu WHAT: Supplied credentials: [UsernamePasswordCredential(username=student1.stu)] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Jun 03 14:50:45 CEST 2019 CLIENT IP ADDRESS: 134.206.4.15 SERVER IP ADDRESS: 194.254.129.15 ============================================================= > 2019-06-03 14:50:45,677 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].> 2019-06-03 14:50:45,678 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: student1.stu WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Mon Jun 03 14:50:45 CEST 2019 CLIENT IP ADDRESS: 134.206.4.15 SERVER IP ADDRESS: 194.254.129.15 ============================================================= Dont know if I have configured logs correctly because I dont see whats happening when access is denied... thanks for your time... Debian, Ray, Thanks a lot for your response. If it is neither 'blocked' nor 'waiting' access should be granted Debian, Debian, To know what is happening in your code, add logging statements!!! If you modify your code, you have to remember to un-modify it. Too easy to forget a change and release to production. I have not used groovy scripting in CAS. Can you write unit tests? This will let you know that your logic is correct. Logging and unit tests can both be permanent in your code base. Logging can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour shows up. If you are going to test runtime behaviour (different redirects) you should have need test users with appropriate attributes (at least 3 in your case). Or modify one user at the attribute store. Testing is important! Make sure you have all the parts you need. As far as why the code is not working, is it possible that getUnauthorizedRedirectUrl is called before doPrincipalAttributesAllowServiceAccess? You can check this with logging (easy way) or trace the method calls in CAS source (more challenging). In getUnauthorizedRedirectUrl, there is no default case. What happens if it is neither 'Blocked' nor 'Waiting'? Ray On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote: Hi Ray, I'm trying to implement dynamic url redirect, here's my code : import org.apereo.cas.services.* import java.util.* import java.net.URI class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy { final String accountStatus @Override boolean isServiceAccessAllowed() { return true } @Override boolean isServiceAccessAllowedForSso() { return true } @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attribu$ if(attributes.get('udlAccountStatus').contains('Active')) { this.accountStatus == 'Active' return true } else if (attributes.get('udlAccountStatus').contains('Waiting')) { this.accountStatus == 'Waiting' return false } else if (attributes.get('udlAccountStatus').contains('Blocked')) { this.accountStatus == 'Blocked' return false } else { return false } } @Override java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { return new URI('https://cas-univ.com/blocked.html') } else if (this.accountStatus == 'Waiting') { return new URI('https://cas-univ.com/waiting.html') } } } For Active account it works, but when I try waiting or blocked account, my access is denied (CAS message, no erros logs). I don't have a blocked/waiting account so I set my code like this to try : @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attribu$ if(attributes.get('udlAccountStatus').contains('Active')) { this.accountStatus == 'Waiting' return false } else if (attributes.get('udlAccountStatus').contains('Waiting)) { this.accountStatus == 'Waiting' return false } else if (attributes.get('udlAccountStatus').contains('Blocked')) { this.accountStatus == 'Blocked' return false } else { & -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a7e3bad98d57ba148241f2a5c4599e4e0502967.camel%40uvic.ca.
