Nope, I apparently erred in my testing. It does in fact seem to work as
expected. I went over the permutations once again (more meticulously this
time), and recorded the following results:
required: ABAC_attribute == "required_allow_value"
reject: ABAC_attribute != "rejected_deny_value"
desired result: Y Access is allowed.
required: ABAC_attribute != "required_allow_value"
reject: ABAC_attribute != "rejected_deny_value"
desired result: Y Access is denied. The principal does not have
the required attributes [{ABAC_attribute=[required_allow_value]}]
required: ABAC_attribute != "required_allow_value"
reject: ABAC_attribute == "rejected_deny_value"
desired result: Y Access is denied. The principal carries
attributes that would reject service access
required: ABAC_attribute == "required_allow_value"
reject: ABAC_attribute == "rejected_deny_value"
desired result: Y Access is denied. The principal carries
attributes that would reject service access
My apologies for the confusion. Mea culpa.
It doesn't appear that unauthorizedRedirectUrl may be scoped to
either requiredAttributes nor rejectedAttributes, but is instead scoped
to accessStrategy, so we're not yet able to differentiate our redirectUrls
to specific cause of failure, but I think we should probably be able to
craft a dynamic URL for that.
<
https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-URL.html#dynamic-urls
>
On Tue, Feb 20, 2024 at 11:01 AM Baron Fujimoto <ba...@hawaii.edu> wrote:
> At least the way the documentation is written for the provided example, it
> does not suggest a logical OR when evaluating the conditions (in my
> interpretation).
>
> "The principal *also* must not have an attribute role whose value matches
> the pattern deny.+."
>
> In our case it is in fact the same (multivalued) attribute, but we're
> trying to use differing possible values to construct this conditional.
>
> FWIW, I'd like to ultimately redirect the user to a different
> unauthorizedRedirectUrl depending on which condition was matched, but first
> I need to get the basic compound conditional policy working as desired.
> <
> https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-URL.html
> >
>
> I'm not opposed to a groovy script, but I have very little experience with
> that. I'm not even sure how to know what I have available to work with from
> CAS. Like, how would I access those attribute values? Are there any help
> examples in the documentation (I find very difficult to find this sort of
> stuff in CAS's current docs)
>
> On Sun, Feb 18, 2024 at 7:16 AM Ray Bon <r...@uvic.ca> wrote:
>
>> Baron,
>>
>> Without looking at the code, this may be treated as an 'or'. That is,
>> user does not have allow [ false ] but also does not have reject [ ! false
>> ].
>> You may be able to use a groovy condition (described on the same page) or
>> a custom solution,
>> https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-Custom.html
>> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-Custom.html__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU8mAfUb8$>
>>
>> Could the same attribute used for allow and deny be an issue (unless
>> those attribute name are examples).
>>
>> Ray
>>
>> On Fri, 2024-02-16 at 17:06 -1000, Baron Fujimoto wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> I'm trying to create a CAS service access strategy that achieves the
>> following:
>>
>> - require an attribute to have a specific "allow" value
>>
>> and yet also
>>
>> - deny if an attribute as a specific "deny" value
>>
>> i.e., both conditions must be met for successful AuthN.
>>
>> I have been using the following documentation as a reference guide:
>>
>> <
>> https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html
>> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU3HKrA3Z$>
>> >
>>
>> I believe that documentation's section on rejected attributes provides an
>> example that conceptually implements our desired outcome.
>>
>> I have been successful if I try to implement only one of the conditions.
>> I.e., both of these work as expected:
>>
>> Required ABAC attribute value:
>>
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "requiredAttributes" : {
>> "@class" : "java.util.HashMap",
>> "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value"
>> ] ]
>> },
>> }
>>
>> Deny if ABAC attribute value:
>>
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "rejectedAttributes" : {
>> "@class" : "java.util.HashMap",
>> "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ]
>> ]
>> }
>> }
>>
>> ABAC_Attribute in our case is a multivalued attribute that can take
>> arbitrary values, including those used above.
>>
>> However, once they are combined as suggested based by the ABAC
>> documentation's rejected attributes example as so:
>>
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "requiredAttributes" : {
>> "@class" : "java.util.HashMap",
>> "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value"
>> ] ]
>> },
>> "rejectedAttributes" : {
>> "@class" : "java.util.HashMap",
>> "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ]
>> ]
>> }
>> }
>>
>> Then CAS still lets the AuthN succeed even if
>> ABAC_Attribute==required_allow_value is not satisfied.
>>
>> Does anyone know what I might be missing or misunderstanding here? How do
>> I achieve our desired effect?
>>
>> --
>> Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU1Qsqo9c$>
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU6nzV4Pz$>
>> - List Guidelines: https://goo.gl/1VRrw7
>> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU7ccNzGU$>
>> - Contributions: https://goo.gl/mh7qDG
>> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU1V3M7ly$>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel%40uvic.ca
>> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!VAISCeYa2gAzdr16TqO9yvmg_cm3Kl0UD5Vz57Pm59Tx2AGaCT9mkSPwI8UxkIYIrXOgU3X6G5Gj$>
>> .
>>
>
>
> --
> Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0HUX%3DyDU2Uebc%3D-aB5Dn%3DwLC%2Br%2BSuAtnk84BXs_-96Sw%40mail.gmail.com.
