Ray,
waiting.html isnt protected by a CAS client..
I tried to register it as a CAS services with the cas management app but it
doesnt change anything.
Network browser traffic display error 401.
it's weird, for the simple redirection it works the url is well displayed,
but for the dynamic redirection it doesn't. In the logs we can see that we
will be redirected but in reality not
Regards..
Debian,
>
> Is waiting.html protected by a CAS client?
>
> The 'not authorized' message shows in CAS when an application redirects to
> CAS but is not in CAS services. Check your browser network traffic to see
> the redirects.
>
> Ray
>
> On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote:
>
> Ray,
>
> UPDATE
>
> I wrote my own logs by redirecting to a file to see if this.accountStatus
> recovers the correct state
>
> like this
>
>
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> File file = new File("/tmp/cas")
> file.append(this.accountStatus)
>
> So in my toto file I have the waiting status
> ====================================================
> GNU nano 2.7.4 File : /tmp/cas
>
>
> *Waiting*
>
> ====================================================
>
> When Im trying to connect :
>
> 2019-06-04 11:42:20,415 WARN
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
> <Unauthorized service access for principal; CAS will be redirecting to [
> https://cas-univ.com/waiting.html)]>
> So it sounds good but the page doesnt redirect to the url and display
> "Application Not Authorized to Use CAS"
>
> any suggestion?
>
> Regards,
>
> Ray,
>
> Theses lines do not return anything in my logs...
> I thought my file wasnt up but it is because the ldaptive debug is
> generated...
> I dunno whats happening
>
> regards,
>
> Debian,
>
> Add this to your log4j2.xml
> <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/>
>
> replacing 'package' with the package of your class.
>
> Add this as the first line of doPrincipalAttributesAllowServiceAccess
> method:
> log.error("doPrincipalAttributesAllowServiceAccess: " +
> attributes.get('udlAccountStatus'))
>
> Log level does not have to be 'error', but this way it will definitely
> show in the logs and 'should be' the only ERROR listed.
> This way you will know when/if your method is called and the value of
> udlAccountStatus.
>
> Ray
>
>
> On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote:
>
> Ray,
>
> In my log4j2.xml I have this
>
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
> <AsyncLogger
> name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
> level="debug"/>
>
> When access is granted I have this in my logs
>
> 8430:2019-06-03 14:13:39,963 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Initiating attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8431:2019-06-03 14:13:39,972 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Locating principal attributes for [student1.stu]>
> 8432:2019-06-03 14:13:39,973 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Using principal attribute repository
> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
> 8433:2019-06-03 14:13:39,974 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Found principal attributes [{supannAliasLogin=[student1.stu],
> udlAccountStatus=[Active]}] for [student1.stu]>
> 8434:2019-06-03 14:13:39,976 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
> attributes for [student1.stu]>
> 8435:2019-06-03 14:13:39,977 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
> [student1.stu>
> 8436:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attempting to merge policy attributes and default attributes>
> 8437:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Checking default attribute policy attributes>
> 8438:2019-06-03 14:13:39,985 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Located application context. Retrieving default attributes for release, if
> any>
> 8439:2019-06-03 14:13:39,988 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes for release are: [[]]>
> 8440:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes found to be released are [{}]>
> 8441:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding default attributes first to the released set of attributes>
> 8442:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding policy attributes to the released set of attributes>
> 8443:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Finalizing attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8444:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Final collection of attributes allowed are:
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>
>
>
>
> 8430:2019-06-03 14:13:39,963 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Initiating attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8431:2019-06-03 14:13:39,972 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Locating principal attributes for [student1.stu]>
> 8432:2019-06-03 14:13:39,973 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Using principal attribute repository
> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
> 8433:2019-06-03 14:13:39,974 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Found principal attributes [{supannAliasLogin=[student1.stu],
> udlAccountStatus=[Active]}] for [student1.stu]>
> 8434:2019-06-03 14:13:39,976 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
> attributes for [student1.stu]>
> 8435:2019-06-03 14:13:39,977 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
> [student1.stu]>
> 8436:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attempting to merge policy attributes and default attributes>
> 8437:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Checking default attribute policy attributes>
> 8438:2019-06-03 14:13:39,985 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Located application context. Retrieving default attributes for release, if
> any>
> 8439:2019-06-03 14:13:39,988 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes for release are: [[]]>
> 8440:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes found to be released are [{}]>
> 8441:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding default attributes first to the released set of attributes>
> 8442:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding policy attributes to the released set of attributes>
> 8443:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Finalizing attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8444:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Final collection of attributes allowed are:
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>
>
> But when I try to test my waiting/blocked acc access is denied. In my logs
> I just have ldaptive DEBUG
>
> 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] -
> <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com>
> 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] -
> <authenticate
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://
> ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null,
> trustManagers=null,
> hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982,
> hostnameVerifierConfig=null, enabledCipherSuites=null,
> enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true,
> useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com,
>
> bindSaslConfig=null, bindControls=null],
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a],
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://
> ldap.univ.com, count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
>
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null,
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR,
>
> SERVER_DOWN], properties={},
> controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832,
> environment=null, tracePackets=null, removeDnUrls=true,
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
> hostnameVerifier=null]],
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde],
> result=true, resultCode=SUCCESS, message=null, controls=null] for
> dn=uid=82853,ou=accounts,dc=univ,dc=com with
> request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu,
>
> context=null], returnAttributes=[udlAccountStatus, supannAliasLogin],
> controls=null]>
> 2019-06-03 14:50:45,675 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: student1.stu
> WHAT: Supplied credentials:
> [UsernamePasswordCredential(username=student1.stu)]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Mon Jun 03 14:50:45 CEST 2019
> CLIENT IP ADDRESS: 134.206.4.15
> SERVER IP ADDRESS: 194.254.129.15
> =============================================================
>
> >
> 2019-06-03 14:50:45,677 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student1.stu].>
> 2019-06-03 14:50:45,678 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: student1.stu
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu,
>
> attributes={udlAccountStatus=[Active],
> supannAliasLogin=[student1.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon Jun 03 14:50:45 CEST 2019
> CLIENT IP ADDRESS: 134.206.4.15
> SERVER IP ADDRESS: 194.254.129.15
> =============================================================
> Dont know if I have configured logs correctly because I dont see whats
> happening when access is denied...
>
> thanks for your time...
>
> Debian,
>
>
> Ray,
>
> Thanks a lot for your response.
> If it is neither 'blocked' nor 'waiting' access should be granted
>
> Debian,
>
> Debian,
>
> To know what is happening in your code, add logging statements!!!
>
> If you modify your code, you have to remember to un-modify it. Too easy to
> forget a change and release to production.
>
> I have not used groovy scripting in CAS. Can you write unit tests? This
> will let you know that your logic is correct.
> Logging and unit tests can both be permanent in your code base. Logging
> can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour
> shows up.
>
> If you are going to test runtime behaviour (different redirects) you should
> have need test users with appropriate attributes (at least 3 in your
> case). Or modify one user at the attribute store.
>
> Testing is important! Make sure you have all the parts you need.
>
> As far as why the code is not working, is it possible that
> getUnauthorizedRedirectUrl is called before
> doPrincipalAttributesAllowServiceAccess? You can check this with logging
> (easy way) or trace the method calls in CAS source (more challenging).
>
> In getUnauthorizedRedirectUrl, there is no default case. What happens if
> it is neither 'Blocked' nor 'Waiting'?
>
> Ray
>
> On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote:
>
> Hi Ray,
>
> I'm trying to implement dynamic url redirect, here's my code :
>
> import org.apereo.cas.services.*
> import java.util.*
> import java.net.URI
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> final String accountStatus
>
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Active'
> return true
> } else if
> (attributes.get('udlAccountStatus').contains('Waiting')) {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
>
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> For Active account it works, but when I try waiting or blocked account, my
> access is denied (CAS message, no erros logs). I don't have a
> blocked/waiting account so I set my code like this to try :
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Waiting'
> return false
> } else if (attributes.get('udlAccountStatus').contains('Waiting))
> {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> any suggest? is my code correct?
>
>
> Thanks in advance..
>
>
> Hi Ray,
>
> Thanks for your response and idea, I managed to make it work !
>
> Best regards,
>
> Debian,
>
> 'Principal' is what the logged in user is called. Think of it as a box
> containing id, attributes, etc.
>
> Ray
>
> On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote:
>
>
> Hi Ray,
>
> It is a message that CAS is displaying "Service access denied due to
> missing privileges."
>
>
> Here's the logs
>
> 2019-05-27 13:02:15,646 WARN
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
> <Unauthorized service access for principal; CAS will be redirecting to [
> https://castete.univ.com/aide/blocked.html]>
> 2019-05-27 13:02:53,173 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student.stu].>
> 2019-05-27 13:02:53,174 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=
> student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=
> [student.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon May 27 13:02:53 CEST 2019
>
> I feel like the code doesnt work because my student.stu has his
> udlAccountStatus to Active so I should access to the service?
> Can you explain me the "String principal"? not sure if I understand
> correctly...
>
> thanks for your time,
>
> Debian,
>
> When you say 'access is denied', is that a message that CAS is displaying
> or is that your service (admusers.properties sounds like your service)?
>
> Check CAS logs to see what is happening (you may need to add logging to
> you custom code).
>
> Ray
>
> On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
>
> Hello Ray,
>
> Thanks for your answer, the conf seems to be ok, I can access to the log
> in page of the service but when I try to connect with my ID, the access is
> denied.
> Before using groovy script I was able to access the service... I've
> checked my admusers.properties and my account is set to ROLE_ADMIN
>
> The boolean isServiceAccessAllowed is "return true"
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> Thanks in advance
>
> Debian,
>
> Skip the for loop. If you know the attribute key, check it directly (sorry
> about the use of map in my previous example):
>
> if ('Active' == attributes.get('udlAccountStatus'))
>
>
> Also, from a programming perspective, entrySet returns a
> Set<Map.Entry<String, Object>>.
>
> Ray
>
> On Thu, 2019-05-23 at 06:59 -0700, Debian HNT wrote:
>
> Ray,
>
> Excuse me for the inconvenience but I still have errors...
>
> I've tried your syntax
>
> import org.apereo.cas.services.*
> import java.util.*
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attributes) {
> for (Map.Entry<String, Object> entry : attributes.entrySet()){
> if ('Active' == map.get('udlAccountStatus')) {return true}
> else
> {return false}
> }
> }
>
> }
>
> I have this error
> 2019-05-23 15:46:04,201 WARN
> [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>
> - <No such property: map for class: Gr
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/05ea988a-c0eb-4aac-828b-7651d6a766f7%40apereo.org.
