This line doesnt work, do I have to import some package?
log.error("doPrincipalAttributesAllowServiceAccess: " +
attributes.get('udlAccountStatus'))
So I wrote this to exit the state of accountStatus
java.net.URI getUnauthorizedRedirectUrl() {
if (this.accountStatus == 'Blocked') {
File file = new File("/tmp/cas")
file.append(this.accountStatus)
this debug return nothing
<AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy"
level="debug"/>
I don't have access to the server atm, I'll send u the rest of logs tomwr
Regards,
Debian,
>
> Post all the relevant debug logs, ideally with logging from your code.
>
> Need to see what CAS and your code is thinking, _and_ when it is executing.
>
> Ray
>
> On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote:
>
> Ray,
> There is two states
> 1st connection : "Service access denied due to missing privileges"
> 2nd connection :"Application Not Authorized to Use CAS" + message log
> "CAS will be redirecting to... https://blocke.html";
> I'm running out of ideas...
>
> Regards,
>
> Ray,
>
> waiting.html isnt protected by a CAS client..
> I tried to register it as a CAS services with the cas management app but
> it doesnt change anything.
>
> Network browser traffic display error 401.
> it's weird, for the simple redirection it works the url is well displayed,
> but for the dynamic redirection it doesn't. In the logs we can see that we
> will be redirected but in reality not
>
> Regards..
>
>
> Debian,
>
> Is waiting.html protected by a CAS client?
>
> The 'not authorized' message shows in CAS when an application redirects to
> CAS but is not in CAS services. Check your browser network traffic to see
> the redirects.
>
> Ray
>
> On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote:
>
> Ray,
>
> UPDATE
>
> I wrote my own logs by redirecting to a file to see if this.accountStatus
> recovers the correct state
>
> like this
>
>
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> File file = new File("/tmp/cas")
> file.append(this.accountStatus)
>
> So in my toto file I have the waiting status
> ====================================================
> GNU nano 2.7.4 File : /tmp/cas
>
>
> *Waiting*
>
> ====================================================
>
> When Im trying to connect :
>
> 2019-06-04 11:42:20,415 WARN
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
> <Unauthorized service access for principal; CAS will be redirecting to [
> https://cas-univ.com/waiting.html)]>
> So it sounds good but the page doesnt redirect to the url and display
> "Application Not Authorized to Use CAS"
>
> any suggestion?
>
> Regards,
>
> Ray,
>
> Theses lines do not return anything in my logs...
> I thought my file wasnt up but it is because the ldaptive debug is
> generated...
> I dunno whats happening
>
> regards,
>
> Debian,
>
> Add this to your log4j2.xml
> <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/>
>
> replacing 'package' with the package of your class.
>
> Add this as the first line of doPrincipalAttributesAllowServiceAccess
> method:
> log.error("doPrincipalAttributesAllowServiceAccess: " +
> attributes.get('udlAccountStatus'))
>
> Log level does not have to be 'error', but this way it will definitely
> show in the logs and 'should be' the only ERROR listed.
> This way you will know when/if your method is called and the value of
> udlAccountStatus.
>
> Ray
>
>
> On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote:
>
> Ray,
>
> In my log4j2.xml I have this
>
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
> <AsyncLogger
> name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
> level="debug"/>
>
> When access is granted I have this in my logs
>
> 8430:2019-06-03 14:13:39,963 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Initiating attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8431:2019-06-03 14:13:39,972 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Locating principal attributes for [student1.stu]>
> 8432:2019-06-03 14:13:39,973 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Using principal attribute repository
> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
> 8433:2019-06-03 14:13:39,974 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Found principal attributes [{supannAliasLogin=[student1.stu],
> udlAccountStatus=[Active]}] for [student1.stu]>
> 8434:2019-06-03 14:13:39,976 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
> attributes for [student1.stu]>
> 8435:2019-06-03 14:13:39,977 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
> [student1.stu>
> 8436:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attempting to merge policy attributes and default attributes>
> 8437:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Checking default attribute policy attributes>
> 8438:2019-06-03 14:13:39,985 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Located application context. Retrieving default attributes for release, if
> any>
> 8439:2019-06-03 14:13:39,988 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes for release are: [[]]>
> 8440:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes found to be released are [{}]>
> 8441:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding default attributes first to the released set of attributes>
> 8442:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding policy attributes to the released set of attributes>
> 8443:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Finalizing attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8444:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Final collection of attributes allowed are:
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>
>
>
>
> 8430:2019-06-03 14:13:39,963 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Initiating attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8431:2019-06-03 14:13:39,972 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Locating principal attributes for [student1.stu]>
> 8432:2019-06-03 14:13:39,973 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Using principal attribute repository
> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
> 8433:2019-06-03 14:13:39,974 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Found principal attributes [{supannAliasLogin=[student1.stu],
> udlAccountStatus=[Active]}] for [student1.stu]>
> 8434:2019-06-03 14:13:39,976 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
> attributes for [student1.stu]>
> 8435:2019-06-03 14:13:39,977 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for
> [student1.stu]>
> 8436:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Attempting to merge policy attributes and default attributes>
> 8437:2019-06-03 14:13:39,984 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Checking default attribute policy attributes>
> 8438:2019-06-03 14:13:39,985 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Located application context. Retrieving default attributes for release, if
> any>
> 8439:2019-06-03 14:13:39,988 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes for release are: [[]]>
> 8440:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Default attributes found to be released are [{}]>
> 8441:2019-06-03 14:13:39,993 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding default attributes first to the released set of attributes>
> 8442:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Adding policy attributes to the released set of attributes>
> 8443:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Finalizing attributes release phase for principal [student1.stu] accessing
> service [https://castete.univ.com/cas/status/dashboard] defined by
> registered service [^https://castete.univ.com/cas/status/dashboard
> (\z|/.*)]...>
> 8444:2019-06-03 14:13:39,994 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> <Final collection of attributes allowed are:
> [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>
>
> But when I try to test my waiting/blocked acc access is denied. In my logs
> I just have ldaptive DEBUG
>
> 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] -
> <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com>
> 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] -
> <authenticate
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://
> ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null,
> trustManagers=null,
> hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982,
> hostnameVerifierConfig=null, enabledCipherSuites=null,
> enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true,
> useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com,
>
> bindSaslConfig=null, bindControls=null],
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a],
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://
> ldap.univ.com, count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
>
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null,
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR,
>
> SERVER_DOWN], properties={},
> controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832,
> environment=null, tracePackets=null, removeDnUrls=true,
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
> hostnameVerifier=null]],
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde],
> result=true, resultCode=SUCCESS, message=null, controls=null] for
> dn=uid=82853,ou=accounts,dc=univ,dc=com with
> request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu,
>
> context=null], returnAttributes=[udlAccountStatus, supannAliasLogin],
> controls=null]>
> 2019-06-03 14:50:45,675 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: student1.stu
> WHAT: Supplied credentials:
> [UsernamePasswordCredential(username=student1.stu)]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Mon Jun 03 14:50:45 CEST 2019
> CLIENT IP ADDRESS: 134.206.4.15
> SERVER IP ADDRESS: 194.254.129.15
> =============================================================
>
> >
> 2019-06-03 14:50:45,677 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student1.stu].>
> 2019-06-03 14:50:45,678 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: student1.stu
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu,
>
> attributes={udlAccountStatus=[Active],
> supannAliasLogin=[student1.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon Jun 03 14:50:45 CEST 2019
> CLIENT IP ADDRESS: 134.206.4.15
> SERVER IP ADDRESS: 194.254.129.15
> =============================================================
> Dont know if I have configured logs correctly because I dont see whats
> happening when access is denied...
>
> thanks for your time...
>
> Debian,
>
>
> Ray,
>
> Thanks a lot for your response.
> If it is neither 'blocked' nor 'waiting' access should be granted
>
> Debian,
>
> Debian,
>
> To know what is happening in your code, add logging statements!!!
>
> If you modify your code, you have to remember to un-modify it. Too easy to
> forget a change and release to production.
>
> I have not used groovy scripting in CAS. Can you write unit tests? This
> will let you know that your logic is correct.
> Logging and unit tests can both be permanent in your code base. Logging
> can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour
> shows up.
>
> If you are going to test runtime behaviour (different redirects) you should
> have need test users with appropriate attributes (at least 3 in your
> case). Or modify one user at the attribute store.
>
> Testing is important! Make sure you have all the parts you need.
>
> As far as why the code is not working, is it possible that
> getUnauthorizedRedirectUrl is called before
> doPrincipalAttributesAllowServiceAccess? You can check this with logging
> (easy way) or trace the method calls in CAS source (more challenging).
>
> In getUnauthorizedRedirectUrl, there is no default case. What happens if
> it is neither 'Blocked' nor 'Waiting'?
>
> Ray
>
> On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote:
>
> Hi Ray,
>
> I'm trying to implement dynamic url redirect, here's my code :
>
> import org.apereo.cas.services.*
> import java.util.*
> import java.net.URI
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> final String accountStatus
>
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> @Override
> boolean isServiceAccessAllowedForSso() {
> return true
> }
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Active'
> return true
> } else if
> (attributes.get('udlAccountStatus').contains('Waiting')) {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
>
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> For Active account it works, but when I try waiting or blocked account, my
> access is denied (CAS message, no erros logs). I don't have a
> blocked/waiting account so I set my code like this to try :
>
> @Override
> boolean doPrincipalAttributesAllowServiceAccess(String principal,
> Map<String, Object> attribu$
> if(attributes.get('udlAccountStatus').contains('Active')) {
> this.accountStatus == 'Waiting'
> return false
> } else if (attributes.get('udlAccountStatus').contains('Waiting))
> {
> this.accountStatus == 'Waiting'
> return false
> } else if
> (attributes.get('udlAccountStatus').contains('Blocked')) {
> this.accountStatus == 'Blocked'
> return false
>
> } else {
> return false
> }
> }
> @Override
> java.net.URI getUnauthorizedRedirectUrl() {
> if (this.accountStatus == 'Blocked') {
> return new URI('https://cas-univ.com/blocked.html')
> } else if (this.accountStatus == 'Waiting') {
> return new URI('https://cas-univ.com/waiting.html')
> }
> }
> }
>
> any suggest? is my code correct?
>
>
> Thanks in advance..
>
>
> Hi Ray,
>
> Thanks for your response and idea, I managed to make it work !
>
> Best regards,
>
> Debian,
>
> 'Principal' is what the logged in user is called. Think of it as a box
> containing id, attributes, etc.
>
> Ray
>
> On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote:
>
>
> Hi Ray,
>
> It is a message that CAS is displaying "Service access denied due to
> missing privileges."
>
>
> Here's the logs
>
> 2019-05-27 13:02:15,646 WARN
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] -
> <Unauthorized service access for principal; CAS will be redirecting to [
> https://castete.univ.com/aide/blocked.html]>
> 2019-05-27 13:02:53,173 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot
> grant access to service [https://castete.univ.com/cas/status/dashboard]
> because it is not authorized for use by [student.stu].>
> 2019-05-27 13:02:53,174 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: [result=Service Access Denied,service=
> https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=
> student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=
> [student.stu]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Mon May 27 13:02:53 CEST 2019
>
> I feel like the code doesnt work because my student.stu has his
> udlAccountStatus to Active so I should access to the service?
> Can you explain me the "String principal"? not sure if I understand
> correctly...
>
> thanks for your time,
>
> Debian,
>
> When you say 'access is denied', is that a message that CAS is displaying
> or is that your service (admusers.properties sounds like your service)?
>
> Check CAS logs to see what is happening (you may need to add logging to
> you custom code).
>
> Ray
>
> On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote:
>
> Hello Ray,
>
> Thanks for your answer, the conf seems to be ok, I can access to the log
> in page of the service but when I try to connect with my ID, the access is
> denied.
> Before using groovy script I was able to access the service... I've
> checked my admusers.properties and my account is set to ROLE_ADMIN
>
> The boolean isServiceAccessAllowed is "return true"
>
> class GroovyRegisteredAccessStrategy extends
> DefaultRegisteredServiceAccessStrategy {
> @Override
> boolean isServiceAccessAllowed() {
> return true
> }
>
> Thanks in advance
>
> Debian,
>
> Skip the for loop. If you know the attribute key, check it directly (sorry
> about the use of map in my previous example):
>
> if ('Active' == attributes.get('udlAccountStatus'))
>
>
> Also, from a programming perspective, entrySet
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ef1201a-7346-4cc3-9cb5-6c6b82b9af8d%40apereo.org.
