Re: [cas-user] Restrincting service access based on uid

[Sebastien BEAUDLOT]

You were right, the documentation show a bad way to write multiple values. The 
good way is : "user1", "user2", "user3" 

I found the problem. uid need to be explicitely defined in 
cas.authn.ldap[0].principalAttributeList so it can be released and then used in 
service access strategy. 

-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


De: "Uxío" <upr...@madiva.com> 
À: "cas-user" <cas-user@apereo.org> 
Envoyé: Mercredi 13 Décembre 2017 10:57:01 
Objet: Re: [cas-user] Restrincting service access based on uid 

Is that a suspicious population of a list with comma separated values in string 
containing an implicit list instead of with an explicit list of strings? Or is 
it really meant to be comma separated values in string? 

Sent from my iPhone 

On 13 Dec 2017, at 10:00, Sebastien BEAUDLOT < [ 
mailto:sebastien.beaud...@univ-avignon.fr | sebastien.beaud...@univ-avignon.fr 
] > wrote: 




Hi, 
I'm using LDAP with CAS 5.1.5 and want to try restricting access to a service 
for some users. 
What i did in the service definition : 

"attributeReleasePolicy" : { 
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" 
}, 
"accessStrategy" : { 
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", 
"enabled" : true, 
"ssoEnabled" : true, 
"requiredAttributes" : { 
"@class" : "java.util.HashMap", 
"uid" : [ "java.util.HashSet", [ "user1, user2" ] ] 
} 
} 

In cas.properties, i have 

cas.authn.ldap[0].principalAttributeId=uid 

and 

cas.authn.attributeRepository.defaultAttributesToRelease=uid 

but these users cannot access service : Cannot grant access to service [ [ 
http://service.domain.tld/]%20because%20it%20is%20not%20authorized%20for%20use%20by%20[user1
 | http://service.domain.tld/] because it is not authorized for use by [user1 ] 
] 

What am i missing ? 

Regards. 

-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


-- 
- Website: [ https://apereo.github.io/cas | https://apereo.github.io/cas ] 
- Gitter Chatroom: [ https://gitter.im/apereo/cas | 
https://gitter.im/apereo/cas ] 
- List Guidelines: [ https://goo.gl/1VRrw7 | https://goo.gl/1VRrw7 ] 
- Contributions: [ https://goo.gl/mh7qDG | https://goo.gl/mh7qDG ] 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [ mailto:cas-user+unsubscr...@apereo.org | cas-user+unsubscr...@apereo.org ] 
. 
To view this discussion on the web visit [ 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr?utm_medium=email_source=footer
 | 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr
 ] . 




-- 
- Website: [ https://apereo.github.io/cas | https://apereo.github.io/cas ] 
- Gitter Chatroom: [ https://gitter.im/apereo/cas | 
https://gitter.im/apereo/cas ] 
- List Guidelines: [ https://goo.gl/1VRrw7 | https://goo.gl/1VRrw7 ] 
- Contributions: [ https://goo.gl/mh7qDG | https://goo.gl/mh7qDG ] 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [ mailto:cas-user+unsubscr...@apereo.org | cas-user+unsubscr...@apereo.org ] 
. 
To view this discussion on the web visit [ 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com?utm_medium=email_source=footer
 | 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com
 ] . 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2111099967.1432208.1513173673298.JavaMail.zimbra%40univ-avignon.fr.

Re: [cas-user] Restrincting service access based on uid

[Sebastien BEAUDLOT]

Seems it is actually a problem with attributes resolution : 

2017-12-13 10:56:45,286 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
 
2017-12-13 10:56:45,287 DEBUG 
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] 
- <[DefaultPrincipalAttributesRepository] will return the collection of 
attributes directly associated with the principal object which are [{}]> 
2017-12-13 10:56:45,289 DEBUG 
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
 -  



-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


De: "Sebastien BEAUDLOT" <sebastien.beaud...@univ-avignon.fr> 
À: "cas-user" <cas-user@apereo.org> 
Envoyé: Mercredi 13 Décembre 2017 11:01:17 
Objet: Re: [cas-user] Restrincting service access based on uid 

Hi, 

Syntax is based on the documentation example : 
https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html
 (Enforce Attributes) 


-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


De: "Uxío" <upr...@madiva.com> 
À: "cas-user" <cas-user@apereo.org> 
Envoyé: Mercredi 13 Décembre 2017 10:57:01 
Objet: Re: [cas-user] Restrincting service access based on uid 

Is that a suspicious population of a list with comma separated values in string 
containing an implicit list instead of with an explicit list of strings? Or is 
it really meant to be comma separated values in string? 

Sent from my iPhone 

On 13 Dec 2017, at 10:00, Sebastien BEAUDLOT < [ 
mailto:sebastien.beaud...@univ-avignon.fr | sebastien.beaud...@univ-avignon.fr 
] > wrote: 




Hi, 
I'm using LDAP with CAS 5.1.5 and want to try restricting access to a service 
for some users. 
What i did in the service definition : 

"attributeReleasePolicy" : { 
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" 
}, 
"accessStrategy" : { 
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", 
"enabled" : true, 
"ssoEnabled" : true, 
"requiredAttributes" : { 
"@class" : "java.util.HashMap", 
"uid" : [ "java.util.HashSet", [ "user1, user2" ] ] 
} 
} 

In cas.properties, i have 

cas.authn.ldap[0].principalAttributeId=uid 

and 

cas.authn.attributeRepository.defaultAttributesToRelease=uid 

but these users cannot access service : Cannot grant access to service [ [ 
http://service.domain.tld/]%20because%20it%20is%20not%20authorized%20for%20use%20by%20[user1
 | http://service.domain.tld/] because it is not authorized for use by [user1 ] 
] 

What am i missing ? 

Regards. 

-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


-- 
- Website: [ https://apereo.github.io/cas | https://apereo.github.io/cas ] 
- Gitter Chatroom: [ https://gitter.im/apereo/cas | 
https://gitter.im/apereo/cas ] 
- List Guidelines: [ https://goo.gl/1VRrw7 | https://goo.gl/1VRrw7 ] 
- Contributions: [ https://goo.gl/mh7qDG | https://goo.gl/mh7qDG ] 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [ mailto:cas-user+unsubscr...@apereo.org | cas-user+unsubscr...@apereo.org ] 
. 
To view this discussion on the web visit [ 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr?utm_medium=email_source=footer
 | 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr
 ] . 




-- 
- Website: [ https://apereo.github.io/cas | https://apereo.github.io/cas ] 
- Gitter Chatroom: [ https://gitter.im/apereo/cas | 
https://gitter.im/apereo/cas ] 
- List Guidelines: [ https://goo.gl/1VRrw7 | https://goo.gl/1VRrw7 ] 
- Contributions: [ https://goo.gl/mh7qDG | https://goo.gl/mh7qDG ] 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [ mailto:cas-user+unsubscr...@apereo.org | cas-user+unsubscr...@apereo.org ] 
. 
To view this discussion on the web visit [ 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40

Re: [cas-user] Restrincting service access based on uid

[Sebastien BEAUDLOT]

Hi, 

Syntax is based on the documentation example : 
https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html
 (Enforce Attributes) 


-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


De: "Uxío" <upr...@madiva.com> 
À: "cas-user" <cas-user@apereo.org> 
Envoyé: Mercredi 13 Décembre 2017 10:57:01 
Objet: Re: [cas-user] Restrincting service access based on uid 

Is that a suspicious population of a list with comma separated values in string 
containing an implicit list instead of with an explicit list of strings? Or is 
it really meant to be comma separated values in string? 

Sent from my iPhone 

On 13 Dec 2017, at 10:00, Sebastien BEAUDLOT < [ 
mailto:sebastien.beaud...@univ-avignon.fr | sebastien.beaud...@univ-avignon.fr 
] > wrote: 




Hi, 
I'm using LDAP with CAS 5.1.5 and want to try restricting access to a service 
for some users. 
What i did in the service definition : 

"attributeReleasePolicy" : { 
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" 
}, 
"accessStrategy" : { 
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", 
"enabled" : true, 
"ssoEnabled" : true, 
"requiredAttributes" : { 
"@class" : "java.util.HashMap", 
"uid" : [ "java.util.HashSet", [ "user1, user2" ] ] 
} 
} 

In cas.properties, i have 

cas.authn.ldap[0].principalAttributeId=uid 

and 

cas.authn.attributeRepository.defaultAttributesToRelease=uid 

but these users cannot access service : Cannot grant access to service [ [ 
http://service.domain.tld/]%20because%20it%20is%20not%20authorized%20for%20use%20by%20[user1
 | http://service.domain.tld/] because it is not authorized for use by [user1 ] 
] 

What am i missing ? 

Regards. 

-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 


-- 
- Website: [ https://apereo.github.io/cas | https://apereo.github.io/cas ] 
- Gitter Chatroom: [ https://gitter.im/apereo/cas | 
https://gitter.im/apereo/cas ] 
- List Guidelines: [ https://goo.gl/1VRrw7 | https://goo.gl/1VRrw7 ] 
- Contributions: [ https://goo.gl/mh7qDG | https://goo.gl/mh7qDG ] 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [ mailto:cas-user+unsubscr...@apereo.org | cas-user+unsubscr...@apereo.org ] 
. 
To view this discussion on the web visit [ 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr?utm_medium=email_source=footer
 | 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr
 ] . 




-- 
- Website: [ https://apereo.github.io/cas | https://apereo.github.io/cas ] 
- Gitter Chatroom: [ https://gitter.im/apereo/cas | 
https://gitter.im/apereo/cas ] 
- List Guidelines: [ https://goo.gl/1VRrw7 | https://goo.gl/1VRrw7 ] 
- Contributions: [ https://goo.gl/mh7qDG | https://goo.gl/mh7qDG ] 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [ mailto:cas-user+unsubscr...@apereo.org | cas-user+unsubscr...@apereo.org ] 
. 
To view this discussion on the web visit [ 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com?utm_medium=email_source=footer
 | 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com
 ] . 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/45370903.1208787.1513159277001.JavaMail.zimbra%40univ-avignon.fr.

Re: [cas-user] Restrincting service access based on uid

[Uxío]

Is that a suspicious population of a list with comma separated values in string 
containing an implicit list instead of with an explicit list of strings? Or is 
it really meant to be comma separated values in string?

Sent from my iPhone

> On 13 Dec 2017, at 10:00, Sebastien BEAUDLOT 
>  wrote:
> 
> Hi,
> I'm using LDAP with CAS 5.1.5 and want to try restricting access to a service 
> for some users.
> What i did in the service definition :
> 
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "accessStrategy" : {
> "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true,
> "requiredAttributes" : {
> "@class" : "java.util.HashMap",
> "uid" : [ "java.util.HashSet", [ "user1, user2" ] ]
> }
> }
> 
> In cas.properties, i have
> 
> cas.authn.ldap[0].principalAttributeId=uid
> 
> and
> 
> cas.authn.attributeRepository.defaultAttributesToRelease=uid
> 
> but these users cannot access service : Cannot grant access to service 
> [http://service.domain.tld/] because it is not authorized for use by [user1]
> 
> What am i missing ? 
> 
> Regards.
> 
> --
> Sébastien BEAUDLOT
> 
> Administrateur réseaux, téléphonie et flotte mobile
> 
> Direction Opérationnelle des Systèmes d'Information ( DOSI )
> Pôle Infrastructures
> Université d'Avignon et des Pays de Vaucluse
> 
> Tèl : 04.90.16.26.04
> --
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com.

[cas-user] Restrincting service access based on uid

[Sebastien BEAUDLOT]

Hi, 
I'm using LDAP with CAS 5.1.5 and want to try restricting access to a service 
for some users. 
What i did in the service definition : 

"attributeReleasePolicy" : { 
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" 
}, 
"accessStrategy" : { 
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", 
"enabled" : true, 
"ssoEnabled" : true, 
"requiredAttributes" : { 
"@class" : "java.util.HashMap", 
"uid" : [ "java.util.HashSet", [ "user1, user2" ] ] 
} 
} 

In cas.properties, i have 

cas.authn.ldap[0].principalAttributeId=uid 

and 

cas.authn.attributeRepository.defaultAttributesToRelease=uid 

but these users cannot access service : Cannot grant access to service 
[http://service.domain.tld/] because it is not authorized for use by [user1] 

What am i missing ? 

Regards. 

-- 
Sébastien BEAUDLOT 

Administrateur réseaux, téléphonie et flotte mobile 

Direction Opérationnelle des Systèmes d'Information ( DOSI ) 
Pôle Infrastructures 
Université d'Avignon et des Pays de Vaucluse 

Tèl : 04.90.16.26.04 
-- 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr.