I'm trying to create a CAS service access strategy that achieves the following:
- require an attribute to have a specific "allow" value and yet also - deny if an attribute as a specific "deny" value i.e., both conditions must be met for successful AuthN. I have been using the following documentation as a reference guide: < https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html > I believe that documentation's section on rejected attributes provides an example that conceptually implements our desired outcome. I have been successful if I try to implement only one of the conditions. I.e., both of these work as expected: Required ABAC attribute value: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] ] }, } Deny if ABAC attribute value: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "rejectedAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ] } } ABAC_Attribute in our case is a multivalued attribute that can take arbitrary values, including those used above. However, once they are combined as suggested based by the ABAC documentation's rejected attributes example as so: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] ] }, "rejectedAttributes" : { "@class" : "java.util.HashMap", "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ] } } Then CAS still lets the AuthN succeed even if ABAC_Attribute==required_allow_value is not satisfied. Does anyone know what I might be missing or misunderstanding here? How do I achieve our desired effect? -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2VBmmrwF%2BD9qz8ZtpWDTXMvc2m8J27XjuQ0hgOBB9ufg%40mail.gmail.com.
