Ray,
Theses lines do not return anything in my logs...
I thought my file wasnt up but it is because the ldaptive debug is
generated...
I dunno whats happening
regards,
Debian,
>
> Add this to your log4j2.xml
> <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/>
>
> replacing 'package' with the package of your class.
>
> Add this as the first line of doPrincipalAttributesAllowServiceAccess
> method:
> log.error("doPrincipalAttributesAllowServiceAccess: " +
> attributes.get('udlAccountStatus'))
>
> Log level does not have to be 'error', but this way it will definitely
> show in the logs and 'should be' the only ERROR listed.
> This way you will know when/if your method is called and the value of
> udlAccountStatus.
>
> Ray
>
>
> On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote:
>
> Ray,
>
> In my log4j2.xml I have this
>
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
> <AsyncLogger
> name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
> level="debug"/>
>
> When access is granted I have this in my logs
>
> 8430:2019-06-03 14:13:39,963 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Initiating attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8431:2019-06-03 14:13:39,972 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Locating principal attributes for [student1.stu]>
> 8432:2019-06-03 14:13:39,973 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Using principal attribute repository
> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
> 8433:2019-06-03 14:13:39,974 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Found principal attributes [{supannAliasLogin=[student1.stu],
> udlAccountStatus=[Active]}] for [student1.stu]>
> 8434:2019-06-03 14:13:39,976 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
> attributes for [student1.stu]>
> 8435:2019-06-03 14:13:39,977 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
> [student1.stu>
> 8436:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attempting to merge policy attributes and default attributes>
> 8437:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Checking default attribute policy attributes>
> 8438:2019-06-03 14:13:39,985 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Located application context. Retrieving default attributes for release, if
> any>
> 8439:2019-06-03 14:13:39,988 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes for release are: [[]]>
> 8440:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes found to be released are [{}]>
> 8441:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding default attributes first to the released set of attributes>
> 8442:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding policy attributes to the released set of attributes>
> 8443:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Finalizing attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8444:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Final collection of attributes allowed are:
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>
>
>
>
> 8430:2019-06-03 14:13:39,963 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Initiating attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8431:2019-06-03 14:13:39,972 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Locating principal attributes for [student1.stu]>
> 8432:2019-06-03 14:13:39,973 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Using principal attribute repository
> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
> 8433:2019-06-03 14:13:39,974 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Found principal attributes [{supannAliasLogin=[student1.stu],
> udlAccountStatus=[Active]}] for [student1.stu]>
> 8434:2019-06-03 14:13:39,976 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
> attributes for [student1.stu]>
> 8435:2019-06-03 14:13:39,977 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
> [student1.stu]>
> 8436:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attempting to merge policy attributes and default attributes>
> 8437:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Checking default attribute policy attributes>
> 8438:2019-06-03 14:13:39,985 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Located application context. Retrieving default attributes for release, if
> any>
> 8439:2019-06-03 14:13:39,988 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes for release are: [[]]>
> 8440:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes found to be released are [{}]>
> 8441:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding default attributes first to the released set of attributes>
> 8442:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding policy attributes to the released set of attributes>
> 8443:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Finalizing attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8444:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Final collection of attributes allowed are:
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>
>
> But when I try to test my waiting/blocked acc access is denied. In my logs
> I just have ldaptive DEBUG
>
> 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] -
> <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com>
> 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] -
> <authenticate
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://
> ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null,
> trustManagers=null,
> hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982,
> hostnameVerifierConfig=null, enabledCipherSuites=null,
> enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true,
> useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com,
>
> bindSaslConfig=null, bindControls=null],
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a],
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://
> ldap.univ.com, count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
>
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null,
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR,
>
> SERVER_DOWN], properties={},
> controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832,
> environment=null, tracePackets=null, removeDnUrls=true,
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
> hostnameVerifier=null]],
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde],
> result=true, resultCode=SUCCESS, message=null, controls=null] for
> dn=uid=82853,ou=accounts,dc=univ,dc=com with
> request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu,
>
> context=null], returnAttributes=[udlAccountStatus, supannAliasLogin],
> controls=null]>
> 2019-06-03 14:50:45,675 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: student1.stu
> WHAT: Supplied credentials:
> [UsernamePasswordCredential(username=student1.stu)]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Mon Jun 03 14:50:45 CEST 2019
> CLIENT IP ADDRESS: 134.206.4.15
> SERVER IP ADDRESS: 194.254.129.15
> =============================================================
>
> >
> 2019-06-03 14:50:45,677 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student1.stu].>
> 2019-06-03 14:50:45,678 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: student1.stu
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu,
>
> attributes={udlAccountStatus=[Active],
> supannAliasLogin=[student1.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon Jun 03 14:50:45 CEST 2019
> CLIENT IP ADDRESS: 134.206.4.15
> SERVER IP ADDRESS: 194.254.129.15
> =============================================================
> Dont know if I have configured logs correctly because I dont see whats
> happening when access is denied...
>
> thanks for your time...
>
> Debian,
>
>
> Ray,
>
> Thanks a lot for your response.
> If it is neither 'blocked' nor 'waiting' access should be granted
>
> Debian,
>
> Debian,
>
> To know what is happening in your code, add logging statements!!!
>
> If you modify your code, you have to remember to un-modify it. Too easy to
> forget a change and release to production.
>
> I have not used groovy scripting in CAS. Can you write unit tests? This
> will let you know that your logic is correct.
> Logging and unit tests can both be permanent in your code base. Logging
> can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour
> shows up.
>
> If you are going to test runtime behaviour (different redirects) you should
> have need test users with appropriate attributes (at least 3 in your
> case). Or modify one user at the attribute store.
>
> Testing is important! Make sure you have all the parts you need.
>
> As far as why the code is not working, is it possible that
> getUnauthorizedRedirectUrl is called before
> doPrincipalAttributesAllowServiceAccess? You can check this with logging
> (easy way) or trace the method calls in CAS source (more challenging).
>
> In getUnauthorizedRedirectUrl, there is no default case. What happens if
> it is neither 'Blocked' nor 'Waiting'?
>
> Ray
>
> On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote:
>
> Hi Ray,
>
> I'm trying to implement dynamic url redirect, here's my code :
>
> import org.apereo.cas.services.*
> import java.util.*
> import java.net.URI
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> final String accountStatus
>
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Active'
> return true
> } else if
> (attributes.get('udlAccountStatus').contains('Waiting')) {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
>
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> For Active account it works, but when I try waiting or blocked account, my
> access is denied (CAS message, no erros logs). I don't have a
> blocked/waiting account so I set my code like this to try :
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Waiting'
> return false
> } else if (attributes.get('udlAccountStatus').contains('Waiting))
> {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> any suggest? is my code correct?
>
>
> Thanks in advance..
>
>
> Hi Ray,
>
> Thanks for your response and idea, I managed to make it work !
>
> Best regards,
>
> Debian,
>
> 'Principal' is what the logged in user is called. Think of it as a box
> containing id, attributes, etc.
>
> Ray
>
> On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote:
>
>
> Hi Ray,
>
> It is a message that CAS is displaying "Service access denied due to
> missing privileges."
>
>
> Here's the logs
>
> 2019-05-27 13:02:15,646 WARN
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
> <Unauthorized service access for principal; CAS will be redirecting to [
> https://castete.univ.com/aide/blocked.html]>
> 2019-05-27 13:02:53,173 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student.stu].>
> 2019-05-27 13:02:53,174 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=
> student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=
> [student.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon May 27 13:02:53 CEST 2019
>
> I feel like the code doesnt work because my student.stu has his
> udlAccountStatus to Active so I should access to the service?
> Can you explain me the "String principal"? not sure if I understand
> correctly...
>
> thanks for your time,
>
> Debian,
>
> When you say 'access is denied', is that a message that CAS is displaying
> or is that your service (admusers.properties sounds like your service)?
>
> Check CAS logs to see what is happening (you may need to add logging to
> you custom code).
>
> Ray
>
> On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
>
> Hello Ray,
>
> Thanks for your answer, the conf seems to be ok, I can access to the log
> in page of the service but when I try to connect with my ID, the access is
> denied.
> Before using groovy script I was able to access the service... I've
> checked my admusers.properties and my account is set to ROLE_ADMIN
>
> The boolean isServiceAccessAllowed is "return true"
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> Thanks in advance
>
> Debian,
>
> Skip the for loop. If you know the attribute key, check it directly (sorry
> about the use of map in my previous example):
>
> if ('Active' == attributes.get('udlAccountStatus'))
>
>
> Also, from a programming perspective, entrySet returns a
> Set<Map.Entry<String, Object>>.
>
> Ray
>
> On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote:
>
> Ray,
>
> Excuse me for the inconvenience but I still have errors...
>
> I've tried your syntax
>
> import org.apereo.cas.services.*
> import java.util.*
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == map.get('udlAccountStatus')) {return true}
> else
> {return false}
> }
> }
>
> }
>
> I have this error
> 2019-05-23 15:46:04,201 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No such property: map for class: GroovyRegisteredAccessStrategy>
> groovy.lang.MissingPropertyException: No such property: map for class:
> GroovyRegisteredAccessStrategy
>
> I've tried this
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == entry.getKey('udlAccountStatus')) {return
> true}
> else
> {return false}
> }
> }
>
> }
> but I have this error
> 2019-05-23 15:38:52,086 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is
> applicable for argument types: (java.lang.String) values: [udlAccountStatus]
> Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(),
> every(), every(groovy.lang.Closure)>
>
> When I try to use the Possible solutions with getKey()
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == getKey('udlAccountStatus')) {return true}
> else
> {return false}
> }
> }
>
> }
> I have this error
>
> 2019-05-23 15:45:03,124 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is
> applicable for argument types: (java.lang.String) values: [udlAccountStatus]
> Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(),
> every(), every(groovy.lang.Closure)>
>
>
> any suggestions?
>
> Thanks in advance...
>
> Debian,
>
> I should have looked closer at your method logic.
> From the method name I suspect that method checks an attribute to
> determine service access. This is what you originally proposed 'attribute =
> Active'.
>
> You will need to know what attributes you have. You can add logging to the
> method or increase logging in general:
>
> <!-- DEBUG Found principal attributes [...] for [username]
> Attribute policy [???] allows release of [...] for
> [username]
> Final collection of attributes allowed are: [...] -->
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
>
> I also have this in my logging config:
>
> <!-- DEBUG Skipping access strategy policy - when no attributes
> rules are defined
> These required attributes [...] are examined against
> [...] before service can proceed - when attrubutes are defined -->
> <AsyncLogger
> name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
> level="warn"/>
>
> Because CAS can perform the access / deny part of your requirements.
> Service configuration can set an attribute and a value that a user must
> have to allow access.
> Since you are trying to modify the redirect URL (you have a third option),
> you might have to modify the web flow.
>
> In general, for your method you will have a check like this
>
> if ('Active' == map.get('attribute')) {return true}
>
> Ray
>
> On Wed, 2019-05-22 at 00:49 -0700, Debian HNT wrote:
>
> Ray,
> Thanks for your answer!
>
> I've changed the variable to attributes but it doesnt repair the issue.
> I dont understand how to set principal to my attribute : account and how
> to configure the map to active/blocked/waiting?
> I'm not sure if I cleary understand the function...
>
> Thank u in advance...
>
>
> Debian,
>
> In doPrincipal..., you are using a variable called 'map' but the variable
> is 'attributes'.
>
> Ray
>
> On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:
>
> Hello guys,
>
> I'm still trying to configure a groovy script for access strategy but I
> have some errors
>
> Here's my access-strategy.groovy
>
>
> import org.apereo.cas.services.*
> import java.util.*
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : map.entrySet()){
> if (entry.getKey().equals(principal)){
> return true
> }
> }
> return false
> }
> }
>
> @Override
> java.net.URI getUnauthorizedRedirectUrl(){
> return "<a href="https://blocked-acc.html"; rel="nofollow"
> target="_blank" onmousedown="this.href='
> https://www.google.com/url?q\x3dhttps%3A%2F%2Fblocked-acc.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHD7CbubwHhlJVN3WQL6kjeh4nF7g';return
>
> <https://www.google.com/url?q%5Cx3dhttps%3A%2F%2Fblocked-acc.html%5Cx26sa%5Cx3dD%5Cx26sntz%5Cx3d1%5Cx26usg%5Cx3dAFQjCNHD7CbubwHhlJVN3WQL6kjeh4nF7g';return>
>
> true;" onclick="this.href='
> https://www.google.com/url?q\x3dhttps%3A%2F%2Fblocked-acc.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHD7CbubwHhlJVN3
>
> <https://www.google.com/url?q%5Cx3dhttps%3A%2F%2Fblocked-acc.html%5Cx26sa%5Cx3dD%5Cx26sntz%5Cx3d1%5Cx26usg%5Cx3dAFQjCNHD7CbubwHhlJVN3>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5212cfe5-37d3-48a7-9bb8-db3e9b261a6d%40apereo.org.
