CAS 6.1 server
LDAP authentication + built in principal resolution
I am running into what I think is an inexperience issue with service access
strategies. I am attempting to use principal attributes to grant access to a
service.
Service entry:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://webappsqa.fqdn/castester/.*";,
"name" : "cas test",
"id" : 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAtrributes" : true,
"requiredAttributes" :
{
"@class": "java.util.HashMap",
"memberOf" : [ "java.util.HashSet", [
"cn=cas_admin,ou=groups,dc=***,dc=***"] ],
},
"rejectedAttributes" :
{
"@class": "java.util.LinkedHashMap"
},
"caseInsensitive": false
},
}
When authenticating against the service I see the proper authentication and
service access enforcement.
=============================================================
WHO: robk
WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk,
source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: [result=Service Access
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
attributes={memberOf=[
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: [result=Service Access
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
attributes={memberOf=[
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: TGT-2-*****3DWzf1qfRI-login-poc
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: [result=Service Access
Granted,service=https://webappsqa.fqdn/castester/...,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
Then when the service attempts to validate the ST it seems to run into an issue
where the principal does not have any attribute data. I have highlighted the
audit with the empty principal that I believe is the cause of the service
ticket validation to fail.
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Denied,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
attributes={}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: audit:unknown
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
I am unsure as to why the principal is empty for the service when it is
validating the ST? Any help as to what I am missing?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4f1049b0d08c4ffe9a35fd1aa7a7f6be%40mun.ca.
