[cas-user] How to allow proxy callback with accessStrategy?

Tue, 10 Dec 2019 16:12:18 -0800 


Newbie question here.  I have CAS 6.1.1 running with LDAP as a backend.  
I've gotten proxy to work, but need to limit access to the service to 
members of a group. I’ve been trying to use “accessStrategy” to accomplish 
this. Unfortunately, I'm failing to understand how to both limit access to 
a service and allow the proxy callback to occur.  It seems obvious that I 
should find a way to allow access to the service, but how?

 

My service definition (currently) looks like this:

 

{

  /*

   *  Allow website access

   */

  "@class" :            "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" :         "^https://webmail.example.com.*";,

  "name" :              "webmail",

  "id" :                1503935297,

  "evaluationOrder" :   89,

  "description" : " Webmail ",

  "proxyPolicy" : {

    "@class" : 
"org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",

      "pattern" : "^(https?://webmail.example.com.*)"

  },

"accessStrategy" : {

    "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled" : true,

    "ssoEnabled" : true,

    "requiredAttributes" : {

      "@class" : "java.util.HashMap",

      "memberOf" : [ "java.util.HashSet", 
"CN=WebMailUsers,OU=Inet,DC=example,DC=com" ] ],

    }

  }

}

 

Which limits the initial login to the service to the users in the group, as 
expected.  It also does not permit the proxy callback (coming from an app 
with CAS.php implementing the proxy) to occur. I get errors such as:

 

[33m2019-12-10 15:46:12,717 WARN 
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot 
grant access to service [https://webmail.example.com/?_action=caslogin] 
because it is not authorized for use by 
[https://webmail.example.com/?_action=pgtcallback].>

[[32m2019-12-10 15:46:12,718 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN

=============================================================

WHO: https://webmail.example.com?_action=pgtcallback

WHAT: [result=Service Access 
Denied,requiredAttributes={memberOf=[CN=WebMailUsers,OU=Inet,DC=example,DC=com]}]

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Dec 10 15:46:12 PST 2019

CLIENT IP ADDRESS: 10.10.77.70

SERVER IP ADDRESS: 10.10.77.100

=============================================================

 

How can I permit access to this service for the proxy callback, while still 
limiting access to users in the webmail group?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6448642-c8c6-4641-abe1-f76ecb4e0cd6%40apereo.org.

Reply via email to