Baron, Without looking at the code, this may be treated as an 'or'. That is, user does not have allow [ false ] but also does not have reject [ ! false ]. You may be able to use a groovy condition (described on the same page) or a custom solution, https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-Custom.html
Could the same attribute used for allow and deny be an issue (unless those attribute name are examples). Ray On Fri, 2024-02-16 at 17:06 -1000, Baron Fujimoto wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I'm trying to create a CAS service access strategy that achieves the following: - require an attribute to have a specific "allow" value and yet also - deny if an attribute as a specific "deny" value i.e., both conditions must be met for successful AuthN. I have been using the following documentation as a reference guide: <https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html> I believe that documentation's section on rejected attributes provides an example that conceptually implements our desired outcome. I have been successful if I try to implement only one of the conditions. I.e., both of these work as expected: Required ABAC attribute value: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] ] }, } Deny if ABAC attribute value: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "rejectedAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ] } } ABAC_Attribute in our case is a multivalued attribute that can take arbitrary values, including those used above. However, once they are combined as suggested based by the ABAC documentation's rejected attributes example as so: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] ] }, "rejectedAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ] } } Then CAS still lets the AuthN succeed even if ABAC_Attribute==required_allow_value is not satisfied. Does anyone know what I might be missing or misunderstanding here? How do I achieve our desired effect? -- Baron Fujimoto <ba...@hawaii.edu<mailto:ba...@hawaii.edu>> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel%40uvic.ca.