Okay if it is known behavior than I had to consider this since my CAS has multiple instances and I should allow them all. Thanks for your interest.
On Tuesday, 17 December 2019 09:19:53 UTC+3, Cemal Önder wrote: > > I want to use REST Protocol in my services. For this, I enabled Rest > Protocol and trying to get TGT. Also, all examples were based on generic > service registration which I don't want in prod environment. > > > Here > <https://apereo.github.io/cas/6.1.x/services/JSON-Service-Management.html#json-syntax> > is > the generic service registry example that should *not *be used in prod > environment. And I did not use this in my environment: > > { > /* > Generic service definition that applies to https/imaps urls > that wish to register with CAS for authentication. > */ > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^(https|imaps)://.*", > "name" : "HTTPS and IMAPS", > "id" : 10000001, > } > > > Instead, I have the following one: > > { > "@class": "org.apereo.cas.services.RegexRegisteredService", > // this service will match all the requests contains test in the > request url > "serviceId": "^https?:\\/\\/.*test($|\\/).*$", > "name": "Test", > "id": 1, > "description": "Test service", > "evaluationOrder": 2, > "requiredHandlers": [ > "java.util.HashSet", > [ > "TestHandler" > ] > ], > "attributeReleasePolicy": { > "@class": > "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" > }, > "properties": { > "@class": "java.util.HashMap", > "jwtAsServiceTicket": { > "@class": > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values": [ > "java.util.HashSet", > [ > "true" > ] > ] > } > } > } > > > I can not request a ticket granting ticket as explained here > <https://apereo.github.io/cas/6.1.x/protocol/REST-Protocol.html#request-a-ticket-granting-ticket> > : > > POST /cas/v1/tickets HTTP/1.0 > 'Content-type': 'Application/x-www-form-urlencoded' > username=battags&password=password&additionalParam1=paramvalue > > > I got the following exception: > > Unauthorized Service Access. Service [] is not found in service > registry > > > When I debug the code, I can see that TGT is created and my registered > service works fine. An exception is thrown because of the registered > service check for againts CAS Server in JWTBuilder > <https://github.com/apereo/cas/blob/master/support/cas-server-support-token-core-api/src/main/java/org/apereo/cas/token/JwtBuilder.java#L134> > > val registeredService = payload.getRegisteredService() == null > ? locateRegisteredService(serviceAudience) > : payload.getRegisteredService(); > RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed( > registeredService); > > > Here CAS tries to check if service access is allowed. > payload.getRegisteredService returns null and locateRegisteredService is > called with serviceAudience, than ensureServiceAccessIsAllowed throws the > exception. > > Problem is: *serviceAudience *is always filled > <https://github.com/apereo/cas/blob/master/support/cas-server-support-token-core-api/src/main/java/org/apereo/cas/token/JwtTokenTicketBuilder.java#L78> > with > *CAS server prefix* which means this there must a service definition that > matches with *CAS server prefix*. All examples work when I enable generic > service definition but when I remove it, TGT does not return because of the > above check. > > Any idea, solution? I don't want to allow everyone able to create TGT, I > can add service definition that only matches with CAS prefix also but first > it is better to understand if I miss something or if this is a bug. > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bd9e26ac-b741-4fdc-bfb2-7f97a179da13%40apereo.org.
