Hi there, I've just run into the very same issue. After a thorough investigation, I believe this is a *BUG introduced in CAS 6.1.0 and above*, namely by this commit: r48e753d05d55 <https://github.com/apereo/cas/commit/48e753d05d55f2b056b817e843608385d45ab555> "Fix issue with surrogate auth detection; and ensured policy is consulted on validation". Before this commit, the access checking method *ensurePrincipalAccessIsAllowedForService()* was called just when creating a service ticket, which could be probably enough. Because why to check user's access once at ticket creation and then at ticket validation again?
Anyway, even when we decide to do the check also within ticket validation for whatever reason (?), I think it should be at least consistent with the check done at ticket creation. But as one can see, the main method *DefaultCentralAuthenticationService.validateServiceTicket() *now *firstly filters user's attributes by a configured release policy, before passing them to the checking method*. This is why we get this validation error: the default release policy is *ReturnAllowedAttributeReleasePolicy *with an empty set of attributes to be released by default! => So the current *workaround *seems to be either to use another policy for a service (like *ReturnAllAttributeReleasePolicy*), or to explicitly name the attributes that we need to check also in the release policy. I guess this has actually helped the OP (and not the attributes caching). In short, the current CAS behavior goes against what Ray Bon writes above: "Two different steps, two different configurations. Attributes for access may be different from attributes the service needs/wants.". Anyone willing to check this? CC: Misagh Moayyed <https://github.com/mmoayyed>. On Friday, 4 December 2020 at 21:52:49 UTC+1 [email protected] wrote: > On a hunch, I tried turning on the attribute caching in the service entry > and it fixed the immediate issue. > > > > This still leaves me a little puzzled. The documentation implies that the > principal should have been cached with the length of the default SSO > session. > > > > Time to keep digging. > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Ray Bon > *Sent:* Friday, December 4, 2020 4:51 PM > *To:* [email protected] > *Subject:* [EXTERNAL SENDER] Re: [cas-user] service access strategies and > required attributes > > > > Robert, > > > > Two different steps, two different configurations. Attributes for access > may be different from attributes the service needs/wants. > > See, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release.html, > in particular, attribute release policy. > > > > Ray > > > > > > On Fri, 2020-12-04 at 18:07 +0000, King, Robert wrote: > > *Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. * > > > > CAS 6.1 server > > LDAP authentication + built in principal resolution > > > > I am running into what I think is an inexperience issue with service > access strategies. I am attempting to use principal attributes to grant > access to a service. > > > > Service entry: > > > > { > > "@class" : "org.apereo.cas.services.RegexRegisteredService", > > "serviceId" : "^https://webappsqa.fqdn/castester/.*";, > > "name" : "cas test", > > "id" : 1, > > "accessStrategy" : { > > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > > "enabled" : true, > > "ssoEnabled" : true, > > "requireAllAtrributes" : true, > > "requiredAttributes" : > > { > > "@class": "java.util.HashMap", > > "memberOf" : [ "java.util.HashSet", [ > "cn=cas_admin,ou=groups,dc=***,dc=***"] ], > > }, > > "rejectedAttributes" : > > { > > "@class": "java.util.LinkedHashMap" > > }, > > "caseInsensitive": false > > }, > > } > > > > When authenticating against the service I see the proper authentication > and service access enforcement. > > > > ============================================================= > > WHO: robk > > WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk, > source=null, customFields={})] > > ACTION: AUTHENTICATION_SUCCESS > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > ============================================================= > > WHO: robk > > WHAT: [result=Service Access Granted,service= > https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, > attributes={memberOf=[ > cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}] > > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > ============================================================= > > WHO: robk > > WHAT: [result=Service Access Granted,service= > https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, > attributes={memberOf=[ > cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}] > > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > ============================================================= > > WHO: robk > > WHAT: TGT-2-*****3DWzf1qfRI-login-poc > > ACTION: TICKET_GRANTING_TICKET_CREATED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > ============================================================= > > WHO: robk > > WHAT: [result=Service Access Granted,service= > https://webappsqa.fqdn/castester/.. > .,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}] > > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > ============================================================= > > WHO: robk > > WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for > https://webappsqa.fqdn/castester/ > > ACTION: SERVICE_TICKET_CREATED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > > > Then when the service attempts to validate the ST it seems to run into an > issue where the principal does not have any attribute data. I have > highlighted the audit with the empty principal that I believe is the cause > of the service ticket validation to fail. > > > > ============================================================= > > WHO: audit:unknown > > WHAT: [result=Service Access Denied,service= > https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, > attributes={}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]} > ] > > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > ============================================================= > > WHO: audit:unknown > > WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for > https://webappsqa.fqdn/castester/ > > ACTION: SERVICE_TICKET_VALIDATE_FAILED > > APPLICATION: CAS > > WHEN: Fri Dec 04 13:12:51 NST 2020 > > CLIENT IP ADDRESS: ***.***.***.*** > > SERVER IP ADDRESS: ***.***.***.*** > > ============================================================= > > > > I am unsure as to why the principal is empty for the service when it is > validating the ST? Any help as to what I am missing? > > > > > > -- > > Ray Bon > > Programmer Analyst > > Development Services, University Systems > > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bddf1c004c8d4d1c8062e432a42c6fe4552633.camel%40uvic.ca > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bddf1c004c8d4d1c8062e432a42c6fe4552633.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/505667b6-5b6b-4236-8c45-9e2730055283n%40apereo.org.
