Ray, I think the problem comes from the registration of the url https://cas-univ.com/blocked.html to cas <https://cas-univ.com/blocked.html> I tried to redirect to a registered service like cas-management page and its worked.
So I tried to register https://cas-univ.com/help/blocked.html <https://cas-univ.com/blocked.html> like that { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://cas-univ.com/help(\\z|/.*)", "name" : "blocked url", "id" : 1559825188, "description" : "Blocked URL" } but it doesnt work... here's the logs > 2019-06-06 15:05:23,393 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://cas.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].> 2019-06-06 15:05:23,393 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: student1.stu WHAT: [result=Service Access Denied,service=https://cas.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Thu Jun 06 15:05:23 CEST 2019 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2019-06-06 15:05:23,394 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://cas.univ.com/help/blocked.html]> 2019-06-06 15:05:24,423 DEBUG [org.apereo.cas.util.scripting.ScriptingUtils] - <Preparing constructor arguments [[]] for resource [file [/etc/cas/config/access-strategy.groovy]]> Is my registered service incorrectly configured? Regards,,, Set the logger to be more general: > > <AsyncLogger name="org.apereo.cas.services" level="debug"/> > > or better, set all of cas to log at debug: > <AsyncLogger name="org.apereo.cas" level="debug"/> > > Try using logger.error. > See > https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script > > I am not sure about importing as I have not used groovy scripting. > > It is important that your code writes to the log to capture the sequence > of method calls. > > Ray > > On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote: > > This line doesnt work, do I have to import some package? > log.error("doPrincipalAttributesAllowServiceAccess: " + > attributes.get('udlAccountStatus')) > > > So I wrote this to exit the state of accountStatus > > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > File file = new File("/tmp/cas") > file.append(this.accountStatus) > > this debug return nothing > > <AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy" > level="debug"/> > > I don't have access to the server atm, I'll send u the rest of logs tomwr > Regards, > > Debian, > > Post all the relevant debug logs, ideally with logging from your code. > > Need to see what CAS and your code is thinking, _and_ when it is executing. > > Ray > > On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote: > > Ray, > There is two states > 1st connection : "Service access denied due to missing privileges" > 2nd connection :"Application Not Authorized to Use CAS" + message log > "CAS will be redirecting to... https://blocke.html"; > I'm running out of ideas... > > Regards, > > Ray, > > waiting.html isnt protected by a CAS client.. > I tried to register it as a CAS services with the cas management app but > it doesnt change anything. > > Network browser traffic display error 401. > it's weird, for the simple redirection it works the url is well displayed, > but for the dynamic redirection it doesn't. In the logs we can see that we > will be redirected but in reality not > > Regards.. > > > Debian, > > Is waiting.html protected by a CAS client? > > The 'not authorized' message shows in CAS when an application redirects to > CAS but is not in CAS services. Check your browser network traffic to see > the redirects. > > Ray > > On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote: > > Ray, > > UPDATE > > I wrote my own logs by redirecting to a file to see if this.accountStatus > recovers the correct state > > like this > > > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > File file = new File("/tmp/cas") > file.append(this.accountStatus) > > So in my toto file I have the waiting status > ==================================================== > GNU nano 2.7.4 File : /tmp/cas > > > *Waiting* > > ==================================================== > > When Im trying to connect : > > 2019-06-04 11:42:20,415 WARN > [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - > <Unauthorized service access for principal; CAS will be redirecting to [ > https://cas-univ.com/waiting.html)]> > So it sounds good but the page doesnt redirect to the url and display > "Application Not Authorized to Use CAS" > > any suggestion? > > Regards, > > Ray, > > Theses lines do not return anything in my logs... > I thought my file wasnt up but it is because the ldaptive debug is > generated... > I dunno whats happening > > regards, > > Debian, > > Add this to your log4j2.xml > <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/> > > replacing 'package' with the package of your class. > > Add this as the first line of doPrincipalAttributesAllowServiceAccess > method: > log.error("doPrincipalAttributesAllowServiceAccess: " + > attributes.get('udlAccountStatus')) > > Log level does not have to be 'error', but this way it will definitely > show in the logs and 'should be' the only ERROR listed. > This way you will know when/if your method is called and the value of > udlAccountStatus. > > Ray > > > On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote: > > Ray, > > In my log4j2.xml I have this > > <AsyncLogger > name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" > > level="debug"/> > <AsyncLogger > name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" > level="debug"/> > > When access is granted I have this in my logs > > 8430:2019-06-03 14:13:39,963 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Initiating attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8431:2019-06-03 14:13:39,972 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Locating principal attributes for [student1.stu]> > 8432:2019-06-03 14:13:39,973 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Using principal attribute repository > [DefaultPrincipalAttributesRepository()] to retrieve attributes> > 8433:2019-06-03 14:13:39,974 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Found principal attributes [{supannAliasLogin=[student1.stu], > udlAccountStatus=[Active]}] for [student1.stu]> > 8434:2019-06-03 14:13:39,976 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process > attributes for [student1.stu]> > 8435:2019-06-03 14:13:39,977 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for > [student1.stu> > 8436:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attempting to merge policy attributes and default attributes> > 8437:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Checking default attribute policy attributes> > 8438:2019-06-03 14:13:39,985 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Located application context. Retrieving default attributes for release, if > any> > 8439:2019-06-03 14:13:39,988 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes for release are: [[]]> > 8440:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes found to be released are [{}]> > 8441:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding default attributes first to the released set of attributes> > 8442:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding policy attributes to the released set of attributes> > 8443:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Finalizing attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8444:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Final collection of attributes allowed are: > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> > > > > 8430:2019-06-03 14:13:39,963 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Initiating attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8431:2019-06-03 14:13:39,972 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Locating principal attributes for [student1.stu]> > 8432:2019-06-03 14:13:39,973 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Using principal attribute repository > [DefaultPrincipalAttributesRepository()] to retrieve attributes> > 8433:2019-06-03 14:13:39,974 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Found principal attributes [{supannAliasLogin=[student1.stu], > udlAccountStatus=[Active]}] for [student1.stu]> > 8434:2019-06-03 14:13:39,976 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process > attributes for [student1.stu]> > 8435:2019-06-03 14:13:39,977 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for > [student1.stu]> > 8436:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attempting to merge policy attributes and default attributes> > 8437:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Checking default attribute policy attributes> > 8438:2019-06-03 14:13:39,985 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Located application context. Retrieving default attributes for release, if > any> > 8439:2019-06-03 14:13:39,988 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes for release are: [[]]> > 8440:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes found to be released are [{}]> > 8441:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding default attributes first to the released set of attributes> > 8442:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding policy attributes to the released set of attributes> > 8443:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Finalizing attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8444:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Final collection of attributes allowed are: > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> > > But when I try to test my waiting/blocked acc access is denied. In my logs > I just have ldaptive DEBUG > > 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] - > <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com> > 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - > <authenticate > response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap:// > ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S, > sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null, > trustManagers=null, > hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982, > hostnameVerifierConfig=null, enabledCipherSuites=null, > enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, > useStartTLS=false, > connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com, > > bindSaslConfig=null, bindControls=null], > connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a], > providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap:// > ldap.univ.com, count=1], > environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, > > com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, > java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, > classLoader=null, > providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR, > > SERVER_DOWN], properties={}, > controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832, > environment=null, tracePackets=null, removeDnUrls=true, > searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, > PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, > hostnameVerifier=null]], > providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde], > result=true, resultCode=SUCCESS, message=null, controls=null] for > dn=uid=82853,ou=accounts,dc=univ,dc=com with > request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu, > > context=null], returnAttributes=[udlAccountStatus, supannAliasLogin], > controls=null]> > 2019-06-03 14:50:45,675 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: Supplied credentials: > [UsernamePasswordCredential(username=student1.stu)] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Mon Jun 03 14:50:45 CEST 2019 > CLIENT IP ADDRESS: 134.206.4.15 > SERVER IP ADDRESS: 194.254.129.15 > ============================================================= > > > > 2019-06-03 14:50:45,677 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://castete.univ.com/cas/status/dashboard] > because it is not authorized for use by [student1.stu].> > 2019-06-03 14:50:45,678 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: [result=Service Access Denied,service= > https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, > > attributes={udlAccountStatus=[Active], > supannAliasLogin=[student1.stu]}),requiredAttributes={}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Mon Jun 03 14:50:45 CEST 2019 > CLIENT IP ADDRESS: 134.206.4.15 > SERVER IP ADDRESS: 194.254.129.15 > ============================================================= > Dont know if I have configured logs correctly because I dont see whats > happening when access is denied... > > thanks for your time... > > Debian, > > > Ray, > > Thanks a lot for your response. > If it is neither 'blocked' nor 'waiting' access should be granted > > Debian, > > Debian, > > To know what is happening in your code, add logging statements!!! > > If you modify your code, you have to remember to un-modify it. Too easy to > forget a change and release to production. > > I have not used groovy scripting in CAS. Can you write unit tests? This > will let you know that your logic is correct. > Logging and unit tests can both be permanent in your code base. Logging > can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour > shows up. > > If you are going to test runtime behaviour (different redirects) you should > have need test users with appropriate attributes (at least 3 in your > case). Or modify one user at the attribute store. > > Testing is important! Make sure you have all the parts you need. > > As far as why the code is not working, is it possible that > getUnauthorizedRedirectUrl is called before > doPrincipalAttributesAllowServiceAccess? You can check this with logging > (easy way) or trace the method calls in CAS source (more challenging). > > In getUnauthorizedRedirectUrl, there is no default case. What happens if > it is neither 'Blocked' nor 'Waiting'? > > Ray > > On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote: > > Hi Ray, > > I'm trying to implement dynamic url redirect, here's my code : > > import org.apereo.cas.services.* > import java.util.* > import java.net.URI > > class GroovyRegisteredAccessStrategy extends > DefaultRegisteredServiceAccessStrategy { > final String accountStatus > > @Override > boolean isServiceAccessAllowed() { > return true > } > > @Override > boolean isServiceAccessAllowedForSso() { > return true > } > > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attribu$ > if(attributes.get('udlAccountStatus').contains('Active')) { > this.accountStatus == 'Active' > return true > } else if > (attributes.get('udlAccountStatus').contains('Waiting')) { > this.accountStatus == 'Waiting' > return false > } else if > (attributes.get('udlAccountStatus').contains('Blocked')) { > this.accountStatus == 'Blocked' > return false > > } else { > return false > } > } > > @Override > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > return new URI('https://cas-univ.com/blocked.html') > } else if (this.accountStatus == 'Waiting') { > return new URI('https://cas-univ.com/waiting.html') > } > } > } > > For Active account it works, but when I try waiting or blocked account, my > access is denied (CAS message, no erros logs). I don't have a > blocked/waiting account so I set my code like this to try : > > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attribu$ > if(attributes.get('udlAccountStatus').contains('Active')) { > this.accountStatus == 'Waiting' > return false > } else if (attributes.get('udlAccountStatus').contains('Waiting)) > { > this.accountStatus == 'Waiting' > return false > } else if > (attributes.get('udlAccountStatus').contains('Blocked')) { > this.accountStatus == 'Blocked' > return false > > } else { > return false > } > } > @Override > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > return new URI('https://cas-univ.com/blocked.html') > } else if (this.accountStatus == 'Waiting') { > return new URI('https://cas-univ.com/waiting.html') > } > } > } > > any suggest? is my code correct? > > > Thanks in advance.. > > > Hi Ray, > > Thanks for your response and idea, I managed to make it work ! > > Best regards, > > Debian, > > 'Principal' is what the logged in user is called. Think of it as a box > containing id, attributes, etc. > > Ray > > On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote: > > > Hi Ray, > > It is a message that CAS is displaying "Service access denied due to > missing privileges." > > > Here's the logs > > 2019-05-27 13:02:15,646 WARN > [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - > <Unauthorized service access for principal; CAS will be redirecting to [ > https://castete.univ.com/aide/blocked.html]> > 2019-05-27 13:02:53,173 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://castete.univ.com/cas/status/dashboard] > because it is not authorized for use by [student.stu].> > 2019-05-27 13:02:53,174 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: [result=Service Access Denied,service=<a href=" > https://castete.univ.com/cas/sta.."; rel="nofollow" target="_blank" > onmousedown="this.href=' > https://www.google.com/url?q\x3dhttps%3A%2F%2Fcastete.univ.com%2Fcas%2Fsta. > <https://www.google.com/url?q%5Cx3dhttps%3A%2F%2Fcastete.univ.com%2Fcas%2Fsta.>.\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMrmnnfS23DGhW7lrC8IVAj736-A';return > > true;" onclick="this.href='https://www.googl > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2220f145-cf6f-4c49-8ae4-a38c48d69749%40apereo.org.
