I've have a working CAS 5.3.3 system with multiple services (21 using cas
protocol, 1 using saml2).
I am trying to get access strategy working with the SAML2 service. When I
log in with an authorised person, all is good. When I attempt a login
where someone is not allowed, I get the following:
org.springframework.webflow.execution.ActionExecutionException: Exception
> thrown executing
> org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction@6e4f8922 in
> state 'createTicketGrantingTicket' of flow 'login' -- action execution
> attributes were 'map[[empty]]'
> at
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
> at
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
> at
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
> at
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
> at
> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
> at org.springframework.webflow.engine.State.enter(State.java:194)
Notes:
1. I have access strategy working fine with one of the CAS protocol
services.
2. The particular attribute I am using for access undergoes a
MutantRegexAttributeFilter, HOWEVER I have also tested it with a different
attribute (uidNumber) which gives the same issue.
3. Relevant Service JSON is:
{
@class: org.apereo.cas.support.saml.services.SamlRegisteredService
...
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
attributeFilter:
{
@class: org.apereo.cas.services.support.
RegisteredServiceMutantRegexAttributeFilter
patterns:
{
@class: java.util.LinkedHashMap
memberOf: ^cn=(.*),ou=samlservice,ou=ldapgroups,dc=example,dc=org$
-> $1
}
excludeUnmappedAttributes: false
caseInsensitive: true
completeMatch: false
order: 0
}
principalAttributesRepository:
{
@class: org.apereo.cas.authentication.principal.
DefaultPrincipalAttributesRepository
expiration: 2
timeUnit: HOURS
}
consentPolicy:
{
@class: org.apereo.cas.services.consent.
DefaultRegisteredServiceConsentPolicy
enabled: true
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
excludeDefaultAttributes: false
authorizedToReleaseAuthenticationAttributes: true
allowedAttributes:
[
java.util.ArrayList
[
uidNumber
displayName
cn
memberOf
]
]
}
...
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.
DefaultRegisteredServiceDelegatedAuthenticationPolicy
}
requireAllAttributes: true
requiredAttributes:
{
@class: java.util.LinkedHashMap
memberOf:
[
java.util.LinkedHashSet
[
login
]
]
}
caseInsensitive: false
}
...
}
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3092f5a1-e3c2-484f-8732-ee14fad43e1b%40apereo.org.
