Thanks! :) On Friday, February 9, 2018 at 11:57:07 AM UTC-5, Dmitriy Kopylenko wrote: > > I’m not sure that’s possible. > > One other option would be for you to implement Inspektr’s audit log at > that audit point and contribute back to CAS project :-) > > D. > > > > > On Fri, Feb 9, 2018 at 11:38 AM -0500, "crdaudt" <[email protected] > <javascript:>> wrote: > > Thanks for the quick response Dmitriy. >> >> As a workaround, might it be possible for me to replace the following: >> "unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/ >> ", >> ...with something like the following: >> "unauthorizedRedirectUrl" : " >> https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com&username=%sAMAccountName% >> >> <https://ssohost.mydomain.edu/cas_nowayjose/>", >> ...where %sAMAccountName% could be a variable replaced with the username >> of the user who is denied access? >> If there is a way for me to grab and use the value of the username, the >> tomcat access log would capture the denied attempt for me. >> >> Carl >> >> On Friday, February 9, 2018 at 10:06:44 AM UTC-5, Dmitriy Kopylenko wrote: >>> >>> The short answer is - there is currently no audit trail advice weaved at >>> the audit point you are after. >>> >>> Best, >>> D. >>> >>> >>> From: crdaudt <[email protected]> >>> Reply: [email protected] <[email protected]> >>> Date: February 9, 2018 at 10:00:18 AM >>> To: CAS Community <[email protected]> >>> Subject: Re: [cas-user] how do I capture audit log trail for >>> unauthorized users who are denied access to a service in an accessStrategy >>> configuration of one of my JSON files? >>> >>> Yes, the configuration is there in log4j2 but the audit log is only >>> providing entries for users who are authorized, not for those who are >>> denied access. >>> I am attaching an annotated copy of my cas_audit.log, and also copies of >>> my service's JSON file and log4j2.xml file. >>> >>> My goals: >>> >>> - To log attempts of a user to gain a service ticket, both when: >>> - >>> - the user is authorized (and therefore successful) and, >>> - unauthorized (and therefore denied access). >>> - To keep the log verbosity reasonably trim (I do not want to set >>> debug for the entire log) >>> >>> >>> On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote: >>>> >>>> Carl, >>>> >>>> This already should be in log4j2: >>>> >>>> <!-- Log audit to all root appenders, and also to audit log >>>> (additivity is not false) --> >>>> <AsyncLogger name="org.apereo.inspektr.audit.support" >>>> level="info" includeLocation="true" > >>>> <AppenderRef ref="casAudit"/> >>>> <AppenderRef ref="syslog"/> >>>> </AsyncLogger> >>>> >>>> Ray >>>> >>>> On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote: >>>> >>>> For one of my services, I have the following accessStrategy defined in >>>> my JSON file: >>>> >>>> ---begin--- >>>> "accessStrategy" : >>>> { >>>> "@class" : >>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", >>>> "enabled" : true, >>>> "unauthorizedRedirectUrl" : " >>>> https://ssohost.mydomain.edu/cas_nowayjose/";, >>>> "requireAllAttributes" : false, >>>> "ssoEnabled" : true, >>>> "requiredAttributes" : >>>> { >>>> "@class" : "java.util.HashMap", >>>> "memberOf" : [ "java.util.HashSet", [ >>>> "CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu" >>>> >>>> ] ] >>>> } >>>> } >>>> ---end--- >>>> >>>> This works nicely to redirect unauthorized users who do not belong to >>>> either of the memberOf AD groups. However, the default log settings in >>>> log4j2.xml do not provide any indication that an unauthorized user >>>> attempted to obtain a service ticket. >>>> >>>> How can I set up my CAS (v5.2.2) instance to log failed attempts by >>>> unauthorized users to obtain a service ticket? >>>> >>>> Carl >>>> >>>> -- >>>> Ray Bon >>>> Programmer analyst >>>> Development Services, University Systems >>>> 2507218831 | CLE 019 | [email protected] >>>> >>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afed875-afb7-40d4-b9b1-3c89de2f8a5f%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afed875-afb7-40d4-b9b1-3c89de2f8a5f%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >
-- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7936d0d2-2060-4ab6-babd-77448ee8f0c6%40apereo.org.
