Ray, I'd like to thank you for all your answers, but I think I'll give up the groovy script if I have to modify the webflow, because as it says on the documentation, it's going to be complicated for future updates... Thank you again
Regards, Debian, > > If getUnauthorizedRedirectUrl is called before doPrincipal, that is CAS > behaviour. It would be difficult to change. > You can customize the spring web flow. If you do the attribute check > before the webflow redirects to the unauthorized URL, you should have the > attributes and could change the value of the URL. See > https://apereo.github.io/cas/6.0.x/webflow/Webflow-Customization-Extensions.html > > Ray > > On Fri, 2019-06-07 at 01:29 -0700, Debian HNT wrote: > > Ray, > > I think I understood the problem. I put some logs to retrieve state of > accountStatus. > At the 1st connection the function doPrincipal has "Blocked" > > Function 1 : Blocked //1st connection > > Function 2 : Blocked //2nd connection > Function 1 : Blocked //2nd connection > > but at the 2nd connection function getUnauthorizedRedirectUrl is executed > before doPrincipal. So CAS dont have the attribute sate of doPrincipal, so > Access is denied. > Is it possible to retrieve attribute in getUnauthorizedRedirectUrl ?? > > I hope I've explained the problem well... > > Regards, > > Debian, > > The service entry looks fine. Make sure the id value is unique and make > sure the evaluation order allows it to be accessed, > https://apereo.github.io/cas/6.0.x/services/Service-Management.html > > The logs you provided do not have anything about not being able to access > blocked.html > What happens after the 'constructor atguments' log line? > > More logs are always better. > > It could be that your service registry is not being picked up. Is the > cas-management app on the cas.univ.com host? > > You can see what services are being loaded: > > <!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO] > DEBUG Adding registered service [service URL] --> > <AsyncLogger > name="org.apereo.cas.services.AbstractServicesManager" level="debug" /> > > Ray > > On Thu, 2019-06-06 at 06:40 -0700, Debian HNT wrote: > > Ray, > > I think the problem comes from the registration of the url > https://cas.univ.com/blocked.html to cas > <https://cas-univ.com/blocked.html> > I tried to redirect to a registered service like cas-management page and > its worked. > > So I tried to register https://cas.univ.com/help/blocked.html > <https://cas-univ.com/blocked.html> like that > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^https://cas.univ.com/help(\\z|/.*) > <https://cas-univ.com/help(%5C%5Cz%7C/.*)>", > "name" : "blocked url", > "id" : 1559825188, > "description" : "Blocked URL" > } > > but it doesnt work... here's the logs > > > > > 2019-06-06 15:05:23,393 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://cas.univ.com/cas/status/dashboard] > because it is not authorized for use by [student1.stu].> > 2019-06-06 15:05:23,393 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: [result=Service Access > Denied,service=https://cas.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, > > attributes={udlAccountStatus=[Active], > supannAliasLogin=[student1.stu]}),requiredAttributes={}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jun 06 15:05:23 CEST 2019 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > > > 2019-06-06 15:05:23,394 WARN > [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - > <Unauthorized service access for principal; CAS will be redirecting to [ > https://cas.univ.com/help/blocked.html]> > 2019-06-06 15:05:24,423 DEBUG > [org.apereo.cas.util.scripting.ScriptingUtils] - <Preparing constructor > arguments [[]] for resource [file [/etc/cas/config/access-strategy.groovy]]> > > Is my registered service incorrectly configured? > > Regards,,, > > Set the logger to be more general: > > <AsyncLogger name="org.apereo.cas.services" level="debug"/> > > or better, set all of cas to log at debug: > <AsyncLogger name="org.apereo.cas" level="debug"/> > > Try using logger.error. > See > https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script > > I am not sure about importing as I have not used groovy scripting. > > It is important that your code writes to the log to capture the sequence > of method calls. > > Ray > > On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote: > > This line doesnt work, do I have to import some package? > log.error("doPrincipalAttributesAllowServiceAccess: " + > attributes.get('udlAccountStatus')) > > > So I wrote this to exit the state of accountStatus > > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > File file = new File("/tmp/cas") > file.append(this.accountStatus) > > this debug return nothing > > <AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy" > level="debug"/> > > I don't have access to the server atm, I'll send u the rest of logs tomwr > Regards, > > Debian, > > Post all the relevant debug logs, ideally with logging from your code. > > Need to see what CAS and your code is thinking, _and_ when it is executing. > > Ray > > On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote: > > Ray, > There is two states > 1st connection : "Service access denied due to missing privileges" > 2nd connection :"Application Not Authorized to Use CAS" + message log > "CAS will be redirecting to... https://blocke.html"; > I'm running out of ideas... > > Regards, > > Ray, > > waiting.html isnt protected by a CAS client.. > I tried to register it as a CAS services with the cas management app but > it doesnt change anything. > > Network browser traffic display error 401. > it's weird, for the simple redirection it works the url is well displayed, > but for the dynamic redirection it doesn't. In the logs we can see that we > will be redirected but in reality not > > Regards.. > > > Debian, > > Is waiting.html protected by a CAS client? > > The 'not authorized' message shows in CAS when an application redirects to > CAS but is not in CAS services. Check your browser network traffic to see > the redirects. > > Ray > > On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote: > > Ray, > > UPDATE > > I wrote my own logs by redirecting to a file to see if this.accountStatus > recovers the correct state > > like this > > > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > File file = new File("/tmp/cas") > file.append(this.accountStatus) > > So in my toto file I have the waiting status > ==================================================== > GNU nano 2.7.4 File : /tmp/cas > > > *Waiting* > > ==================================================== > > When Im trying to connect : > > 2019-06-04 11:42:20,415 WARN > [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - > <Unauthorized service access for principal; CAS will be redirecting to [ > https://cas-univ.com/waiting.html)]> > So it sounds good but the page doesnt redirect to the url and display > "Application Not Authorized to Use CAS" > > any suggestion? > > Regards, > > Ray, > > Theses lines do not return anything in my logs... > I thought my file wasnt up but it is because the ldaptive debug is > generated... > I dunno whats happening > > regards, > > Debian, > > Add this to your log4j2.xml > <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/> > > replacing 'package' with the package of your class. > > Add this as the first line of doPrincipalAttributesAllowServiceAccess > method: > log.error("doPrincipalAttributesAllowServiceAccess: " + > attributes.get('udlAccountStatus')) > > Log level does not have to be 'error', but this way it will definitely > show in the logs and 'should be' the only ERROR listed. > This way you will know when/if your method is called and the value of > udlAccountStatus. > > Ray > > > On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote: > > Ray, > > In my log4j2.xml I have this > > <AsyncLogger > name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" > > level="debug"/> > <AsyncLogger > name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" > level="debug"/> > > When access is granted I have this in my logs > > 8430:2019-06-03 14:13:39,963 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Initiating attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8431:2019-06-03 14:13:39,972 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Locating principal attributes for [student1.stu]> > 8432:2019-06-03 14:13:39,973 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Using principal attribute repository > [DefaultPrincipalAttributesRepository()] to retrieve attributes> > 8433:2019-06-03 14:13:39,974 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Found principal attributes [{supannAliasLogin=[student1.stu], > udlAccountStatus=[Active]}] for [student1.stu]> > 8434:2019-06-03 14:13:39,976 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process > attributes for [student1.stu]> > 8435:2019-06-03 14:13:39,977 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for > [student1.stu> > 8436:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attempting to merge policy attributes and default attributes> > 8437:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Checking default attribute policy attributes> > 8438:2019-06-03 14:13:39,985 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Located application context. Retrieving default attributes for release, if > any> > 8439:2019-06-03 14:13:39,988 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes for release are: [[]]> > 8440:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes found to be released are [{}]> > 8441:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding default attributes first to the released set of attributes> > 8442:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding policy attributes to the released set of attributes> > 8443:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Finalizing attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8444:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Final collection of attributes allowed are: > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> > > > > 8430:2019-06-03 14:13:39,963 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Initiating attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8431:2019-06-03 14:13:39,972 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Locating principal attributes for [student1.stu]> > 8432:2019-06-03 14:13:39,973 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Using principal attribute repository > [DefaultPrincipalAttributesRepository()] to retrieve attributes> > 8433:2019-06-03 14:13:39,974 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Found principal attributes [{supannAliasLogin=[student1.stu], > udlAccountStatus=[Active]}] for [student1.stu]> > 8434:2019-06-03 14:13:39,976 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process > attributes for [student1.stu]> > 8435:2019-06-03 14:13:39,977 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for > [student1.stu]> > 8436:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attempting to merge policy attributes and default attributes> > 8437:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Checking default attribute policy attributes> > 8438:2019-06-03 14:13:39,985 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Located application context. Retrieving default attributes for release, if > any> > 8439:2019-06-03 14:13:39,988 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes for release are: [[]]> > 8440:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes found to be released are [{}]> > 8441:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding default attributes first to the released set of attributes> > 8442:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding policy attributes to the released set of attributes> > 8443:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Finalizing attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8444:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Final collection of attributes allowed are: > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> > > But when I try to test my waiting/blocked acc access is denied. In my logs > I just have ldaptive DEBUG > > 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] - > <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com> > 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - > <authenticate > response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap:// > ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S, > sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null, > trustManagers=null, > hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982, > hostnameVerifierConfig=null, enabledCipherSuites=null, > enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, > useStartTLS=false, > connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com, > > bindSaslConfig=null, bindControls=null], > connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a], > providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap:// > ldap.univ.com, count=1], > environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, > > com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, > java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, > classLoader=null, > providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR, > > SERVER_DOWN], properties={}, > controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832, > environment=null, tracePackets=null, removeDnUrls=true, > searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, > PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, > hostnameVerifier=null]], > providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde], > result=true, resultCode=SUCCESS, message=null, controls=null] for > dn=uid=82853,ou=accounts,dc=univ,dc=com with > request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu, > > context=null], returnAttributes=[udlAccountStatus, supannAliasLogin], > controls=null]> > 2019-06-03 14:50:45,675 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: Supplied credentials: > [UsernamePasswordCredential(username=student1.stu)] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Mon Jun 03 14:50:45 CEST 2019 > CLIENT IP ADDRESS: 134.206.4.15 > SERVER IP ADDRESS: 194.254.129.15 > ============================================================= > > > > 2019-06-03 14:50:45,677 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://castete.univ.com/cas/status/dashboard] > because it is not authorized for use by [student1.stu].> > 2019-06-03 14:50:45,678 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: [result=Service Access Denied,service= > https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, > > attributes={udlAccountStatus=[Active], > supannAliasLogin=[student1.stu]}),requiredAttributes={}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Mon Jun 03 14:50:45 CEST 2019 > CLIENT IP ADDRESS: 134.206.4.15 > SERVER IP ADDRESS: 194.254.129.15 > ============================================================= > Dont know if I have configured logs correctly because I dont see whats > happening when access is denied... > > thanks for your time... > > Debian, > > > Ray, > > Thanks a lot for your response. > If it is neither 'blocked' nor 'waiting' access should be granted > > Debian, > > Debian, > > To know what is happening in your code, add logging statements!!! > > If you modify your code, you have to remember to un-modify it. Too easy to > forget a change and release to production. > > I have not used groovy scripting in CAS. Can you write unit tests? This > will let you know that your logic is correct. > Logging and unit tests can both be permanent in your code base. Logging > can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour > shows up. > > If you are going to test runtime behaviour (different redirects) you should > have need test users with appropriate attributes (at least 3 in your > case). Or modify one user at the attribute store. > > Testing is important! Make sure you have all the parts you need. > > As far as why the code is not working, is it possible that > getUnauthorizedRedirectUrl is called before > doPrincipalAttributesAllowServiceAccess? You can check this with logging > (easy way) or trace the method calls in CAS source (more challenging). > > In getUnauthorizedRedirectUrl, there is no default case. What happens if > it is neither 'Blocked' nor 'Waiting'? > > Ray > > On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote: > > Hi Ray, > > I'm trying to implement dynamic url redirect, here's my code : > > import org.apereo.cas.services.* > import java.util.* > import java.net.URI > > class GroovyRegisteredAccessStrategy extends > DefaultRegisteredServiceAccessStrategy { > final String accountStatus > > @Override > boolean isServiceAccessAllowed() { > return true > } > > @Override > boolean isServiceAccessAllowedForSso() { > & > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e0a9f35-fff9-42c8-b67e-7c6e268d66a4%40apereo.org.
