I want to use REST Protocol in my services. For this, I enabled Rest Protocol and trying to get TGT. Also, all examples were based on generic service registration which I don't want in prod environment.
Here <https://apereo.github.io/cas/6.1.x/services/JSON-Service-Management.html#json-syntax> is the generic service registry example that should *not *be used in prod environment. And I did not use this in my environment: { /* Generic service definition that applies to https/imaps urls that wish to register with CAS for authentication. */ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^(https|imaps)://.*", "name" : "HTTPS and IMAPS", "id" : 10000001, } Instead, I have the following one: { "@class": "org.apereo.cas.services.RegexRegisteredService", // this service will match all the requests contains test in the request url "serviceId": "^https?:\\/\\/.*test($|\\/).*$", "name": "Test", "id": 1, "description": "Test service", "evaluationOrder": 2, "requiredHandlers": [ "java.util.HashSet", [ "TestHandler" ] ], "attributeReleasePolicy": { "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" }, "properties": { "@class": "java.util.HashMap", "jwtAsServiceTicket": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values": [ "java.util.HashSet", [ "true" ] ] } } } I can not request a ticket granting ticket as explained here <https://apereo.github.io/cas/6.1.x/protocol/REST-Protocol.html#request-a-ticket-granting-ticket> : POST /cas/v1/tickets HTTP/1.0 'Content-type': 'Application/x-www-form-urlencoded' username=battags&password=password&additionalParam1=paramvalue I got the following exception: Unauthorized Service Access. Service [] is not found in service registry When I debug the code, I can see that TGT is created and my registered service works fine. An exception is thrown because of the registered service check for againts CAS Server in JWTBuilder <https://github.com/apereo/cas/blob/master/support/cas-server-support-token-core-api/src/main/java/org/apereo/cas/token/JwtBuilder.java#L134> val registeredService = payload.getRegisteredService() == null ? locateRegisteredService(serviceAudience) : payload.getRegisteredService(); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed( registeredService); Here CAS tries to check if service access is allowed. payload.getRegisteredService returns null and locateRegisteredService is called with serviceAudience, than ensureServiceAccessIsAllowed throws the exception. Problem is: *serviceAudience *is always filled <https://github.com/apereo/cas/blob/master/support/cas-server-support-token-core-api/src/main/java/org/apereo/cas/token/JwtTokenTicketBuilder.java#L78> with *CAS server prefix* which means this there must a service definition that matches with *CAS server prefix*. All examples work when I enable generic service definition but when I remove it, TGT does not return because of the above check. Any idea, solution? I don't want to allow everyone able to create TGT, I can add service definition that only matches with CAS prefix also but first it is better to understand if I miss something or if this is a bug. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/275d0916-528c-4004-9679-c2c1c3aba8c4%40apereo.org.
