Re: [cas-user] CAS Shibboleth, check user attribute before granting acess
Pablo,
We have a config similar to this for a particular service:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://service.example.net/login/saml2;,
"id": 1000,
"evaluationOrder": 1000,
"name": "DocuSign",
"description": "An example service.",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://service.example.net/authorized$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://cas.example.org/cas/html/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://service.example.net/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.example.org/service-example-net;
]
]
}
}
}
The idea is to just redirect to an "Unauthorized" page if the principal
does not have the required entitlement for the service. There are other
actions you can take as well, though you'd have to check the CAS docs to
see what those are.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Wed, Jan 26, 2022 at 10:35 PM Pablo Vidaurri
wrote:
> Currently using standalone shib. I have a configuration in flow/intercept
> to check for a user attribute. If it is not a certain value, then we deny
> him access to the app he trying to log into. Shib allows me to define the
> entity-id in rely party to force this check, so I can decide which service
> needs this attribute set.
>
> Now, trying to use CAS-Shib. How can I do the same?
> 1) Check user attribute, if not value "X" then display message that he
> needs to do something first.
> 2) Be able to define which SAML service needs this attribute set.
>
> Thanks.
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOoyoBvLJ8owSHFoCLX9ONnomVEDA08MKJyw5DCfEj2tg%40mail.gmail.com.
Re: [cas-user] Overlay and custom webflow
Hi, Thank you very much for your answer, it will help me to find my way ! But
is the SomethingWebflowConfigurer supposed to be usable per se, just to check
everythin is taken into account ? I am still not able to compile it because of
these missing symbols errors. Is there something else to add in the
"build.gradle" or somewhere else ? Regards
Le 27-Jan-2022 04:35:35 +0100, psvidau...@gmail.com a crit:
I struggled with the same. With help from this community, going thru some cas
code, and reading thru springboot docs I was finally able to get thru it. I'll
try to summarize. There is a default login webflow already defined for you.
What I did was let the default flow execute but then intercepted the last
transition from REAL_SUBMIT -> TickgetGrantingTicket. So now the flow looks
like DEFAULT_WEBFLOW->REAL_SUBMIT->MY_CUSTOM_WEBFLOW->TICKET_GRANTING_TICKET.
My custom webflow consist of a dozen or so actions. 1) First you need to
define a Configurer class, see cas doc SomethingWebflowConfigurer as an
example. The main point in hooking your webflow with something like:
createTransitionForState(realsubmit, CasWebflowConstants.STATE_ID_SUCCESS, ,
true);
Then create your new action and handling each transition your action is
capable of returning: val newActionState = createActionState(flow, , );
//step1Action is the name of your action class Step1Action that you have
autowired createTransitionForState(newActionState,
CasWebflowConstants.STATE_ID_SUCCESS, );
createTransitionForState(newActionState, "error", ); //step2Action is the
name of your action class Step2Action that you have autowired
createTransitionForState(newActionState, CasWebflowConstants.STATE_ID_SUCCESS,
CasWebflowConstants.STATE_ID_CREATE_TICKET_GRANTING_TICKET);
4) Next, you'll need to tell spring about your configuration. Create a
spring.factories file inside src/main/resources/META-INF. Include a reference
to your configurer class:
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
org.apereo.cas.config.Step1Configurer,\ org.apereo.cas.config.Step2Configurer
Good luck, hope this provides some useful insight. -psv
On Wednesday, January 26, 2022 at 10:50:55 AM UTC-6 spfma...@e.mail.fr
wrote:
Hi, I am trying to replace an old CAS 3.5, and having been far from this
product during all these years, things have changed a lot ! After some trials
and errors, I was able to clone the overlay repo, extract the fragments I
needed to customize and build the WAR. Then I managed to add the required
dependencies to get a working LDAP auth source (unfortunately without pooling)
and a JSON services registry, and build a more complete WAR. But now I am
facing a problem I can not solve : the old CAS had some customized webflow and
some Java code to provide dynamic authentication depending on a list of network
addresses (either direct LDAP or SPNEGO)I guess adapting this part will be
something, but right now I am struggling at the very first step ! Wanting to
give a try to this example :
https://apereo.github.io/cas/6.4.x/webflow/Webflow-Customization-Extensions.html
I am not able to compile " SomethingConfiguration" and I get the following
errors :
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:5:
error: cannot find symbol
public class SomethingConfiguration implements
CasWebflowExecutionPlanConfigurer {
^
symbol: class CasWebflowExecutionPlanConfigurer
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:3:
error: cannot find symbol
@Configuration("somethingConfiguration")
^
symbol: class Configuration
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:4:
error: cannot find symbol
@EnableConfigurationProperties(CasConfigurationProperties.class)
^
symbol: class EnableConfigurationProperties
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:8:
error: cannot find symbol
private CasConfigurationProperties casProperties;
^
symbol: class CasConfigurationProperties
location: class SomethingConfiguration
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:12:
error: cannot find symbol
private FlowDefinitionRegistry loginFlowDefinitionRegistry;
^
symbol: class FlowDefinitionRegistry
location: class SomethingConfiguration
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:15:
error: cannot find symbol
private ApplicationContext applicationContext;
^
symbol: class ApplicationContext
location: class SomethingConfiguration
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:18:
error: cannot find symbol
private FlowBuilderServices flowBuilderServices;
^
symbol: class FlowBuilderServices
location: class SomethingConfiguration
/opt/cas/src/main/java/org/example/something/SomethingConfiguration.java:22:
error: cannot find symbol
public CasWebflowConfigurer somethingWebflowConfigurer() {
^
symbol: class CasWebflowConfigurer
