Thanks, for the pointer. I did find this fairly old Fawnoos article < https://fawnoos.com/2018/04/23/cas-access-strategy-url-redirects/>, but it seems to describe a strategy that is perhaps even more low level that the Groovy script suggested in the more current documentation.
One aspect I have found a little frustrating is just knowing what is available to work with in such a script. The Unauthorized URL doc mentions that the following parameters are provided to the script: registeredService, requestContext, applicationContext, and logger but I'm not sure where I can find more information about those objects themselves. Do we need to consult more generic Spring Webflow docs for the methods available to requestContext and applicationContext, and whether they would contain the desired info re the specific requiredAttributes conditions that were not met? On Tue, Jul 4, 2023 at 6:56 AM Ray Bon <[email protected]> wrote: > Baron, > > There may be something in the fawnoos blog https://fawnoos.com/blog/ > <https://urldefense.com/v3/__https://fawnoos.com/blog/__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqATEr4quJ$> > > Ray > > On Mon, 2023-07-03 at 15:48 -1000, Baron Fujimoto wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > When using Attribute Based Access Control (ABAC) in a service access > strategy, is there a way to conditionally specify the unauthorized URL to > redirect to depending on the failure to satisfy a particular attribute > requirement? > > The Unauthorized URL documentation suggests perhaps this could be done > with a dynamic URL via a Groovy script? But it's not really clear to me > how, assuming this is possible, you would actually do so in the script? > > E.g., given something like: > > { > "@class" : "org.apereo.cas.services.CasRegisteredService", > "name" : "Conditional_Unauthorized_URL", > "serviceId" : "^https://example > <https://urldefense.com/v3/__https://example__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAXmPvBBk$> > \\.edu", > "description" : "Unauthorized URL depends on which ABAC condition fails", > "id" : 20230703153748, > "evaluationOrder" : 10, > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "unauthorizedRedirectUrl" : > "file:/etc/cas/config/unauthz-redirect-url.groovy", > "requiredAttributes" : { > "@class" : "java.util.HashMap", > "attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ], > "attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ], > } > } > } > > If attr_1 is not required_attr_1_val then set unauthorizedRedirectUrl to > https://www.example.edu/unauthz-redirect_attr_1.html > <https://urldefense.com/v3/__https://www.example.edu/unauthz-redirect_attr_1.html__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAYzn08tX$> > If attr_2 is not required_attr_1_val then set unauthorizedRedirectUrl to > https://www.example.edu/unauthz-redirect_attr_2.html > <https://urldefense.com/v3/__https://www.example.edu/unauthz-redirect_attr_2.html__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAdzeQaeq$> > > If this can be done via the Groovy script, then presumably it would also > allow you to set the precedence of the required ABAC conditions in its > logic. > > Can anyone provide an example of this? > > References: > - < > https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html#enforce-attributes > <https://urldefense.com/v3/__https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html*enforce-attributes__;Iw!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAUbwBAmb$> > > > -< > https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-URL.html#dynamic-urls > <https://urldefense.com/v3/__https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-URL.html*dynamic-urls__;Iw!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAdiG4At2$> > > > > We're using CAS 6.6.x > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAe4oaFpy$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAZo7VivZ$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAWMj0DDI$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAbgLiVnB$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/898c2926c7f32241ee59f723ee7903e69b764e5d.camel%40uvic.ca > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/898c2926c7f32241ee59f723ee7903e69b764e5d.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAfd38BGN$> > . > -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2FGtqJVBGJpuNMMrf3gux05-P0gNnqrNw%3DExfX05OPEA%40mail.gmail.com.
