Baron,
There may be something in the fawnoos blog https://fawnoos.com/blog/
Ray
On Mon, 2023-07-03 at 15:48 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
When using Attribute Based Access Control (ABAC) in a service access strategy,
is there a way to conditionally specify the unauthorized URL to redirect to
depending on the failure to satisfy a particular attribute requirement?
The Unauthorized URL documentation suggests perhaps this could be done with a
dynamic URL via a Groovy script? But it's not really clear to me how, assuming
this is possible, you would actually do so in the script?
E.g., given something like:
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"name" : "Conditional_Unauthorized_URL",
"serviceId" : "^https://example\\.edu";,
"description" : "Unauthorized URL depends on which ABAC condition fails",
"id" : 20230703153748,
"evaluationOrder" : 10,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" :
"file:/etc/cas/config/unauthz-redirect-url.groovy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ],
"attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ],
}
}
}
If attr_1 is not required_attr_1_val then set unauthorizedRedirectUrl to
https://www.example.edu/unauthz-redirect_attr_1.html
If attr_2 is not required_attr_1_val then set unauthorizedRedirectUrl to
https://www.example.edu/unauthz-redirect_attr_2.html
If this can be done via the Groovy script, then presumably it would also allow
you to set the precedence of the required ABAC conditions in its logic.
Can anyone provide an example of this?
References:
-
<https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html#enforce-attributes>
-<https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-URL.html#dynamic-urls>
We're using CAS 6.6.x
--
Baron Fujimoto <[email protected]<mailto:[email protected]>> ::: UH Information
Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/898c2926c7f32241ee59f723ee7903e69b764e5d.camel%40uvic.ca.
