At least the way the documentation is written for the provided example, it does not suggest a logical OR when evaluating the conditions (in my interpretation).
"The principal *also* must not have an attribute role whose value matches the pattern deny.+." In our case it is in fact the same (multivalued) attribute, but we're trying to use differing possible values to construct this conditional. FWIW, I'd like to ultimately redirect the user to a different unauthorizedRedirectUrl depending on which condition was matched, but first I need to get the basic compound conditional policy working as desired. < https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-URL.html > I'm not opposed to a groovy script, but I have very little experience with that. I'm not even sure how to know what I have available to work with from CAS. Like, how would I access those attribute values? Are there any help examples in the documentation (I find very difficult to find this sort of stuff in CAS's current docs) On Sun, Feb 18, 2024 at 7:16 AM Ray Bon <r...@uvic.ca> wrote: > Baron, > > Without looking at the code, this may be treated as an 'or'. That is, user > does not have allow [ false ] but also does not have reject [ ! false ]. > You may be able to use a groovy condition (described on the same page) or > a custom solution, > https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-Custom.html > <https://urldefense.com/v3/__https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-Custom.html__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU8mAfUb8$> > > Could the same attribute used for allow and deny be an issue (unless those > attribute name are examples). > > Ray > > On Fri, 2024-02-16 at 17:06 -1000, Baron Fujimoto wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > I'm trying to create a CAS service access strategy that achieves the > following: > > - require an attribute to have a specific "allow" value > > and yet also > > - deny if an attribute as a specific "deny" value > > i.e., both conditions must be met for successful AuthN. > > I have been using the following documentation as a reference guide: > > < > https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html > <https://urldefense.com/v3/__https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU3HKrA3Z$> > > > > I believe that documentation's section on rejected attributes provides an > example that conceptually implements our desired outcome. > > I have been successful if I try to implement only one of the conditions. > I.e., both of these work as expected: > > Required ABAC attribute value: > > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "requiredAttributes" : { > "@class" : "java.util.HashMap", > "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] > ] > }, > } > > Deny if ABAC attribute value: > > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "rejectedAttributes" : { > "@class" : "java.util.HashMap", > "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ] > } > } > > ABAC_Attribute in our case is a multivalued attribute that can take > arbitrary values, including those used above. > > However, once they are combined as suggested based by the ABAC > documentation's rejected attributes example as so: > > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "requiredAttributes" : { > "@class" : "java.util.HashMap", > "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] > ] > }, > "rejectedAttributes" : { > "@class" : "java.util.HashMap", > "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ] > } > } > > Then CAS still lets the AuthN succeed even if > ABAC_Attribute==required_allow_value is not satisfied. > > Does anyone know what I might be missing or misunderstanding here? How do > I achieve our desired effect? > > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU1Qsqo9c$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU6nzV4Pz$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU7ccNzGU$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU1V3M7ly$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel%40uvic.ca > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU3X6G5Gj$> > . > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1GFWrHvqy2k27FYr8%2BHZLAbZ0sEH38Wxr6BQ3uHS9bXw%40mail.gmail.com.
