Restrincting service access based on uid

Sebastien BEAUDLOT

unread,

Dec 13, 2017, 4:00:08 AM12/13/17

to cas-user

Hi,
I'm using LDAP with CAS 5.1.5 and want to try restricting access to a service for some users.
What i did in the service definition :

"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"uid" : [ "java.util.HashSet", [ "user1, user2" ] ]
}
}

In cas.properties, i have

cas.authn.ldap[0].principalAttributeId=uid

and

cas.authn.attributeRepository.defaultAttributesToRelease=uid

but these users cannot access service : Cannot grant access to service [http://service.domain.tld/] because it is not authorized for use by [user1]

What am i missing ?

Regards.

--
Sébastien BEAUDLOT

Administrateur réseaux, téléphonie et flotte mobile

Direction Opérationnelle des Systèmes d'Information ( DOSI )
Pôle Infrastructures
Université d'Avignon et des Pays de Vaucluse

Tèl : 04.90.16.26.04
--

Uxío

unread,

Dec 13, 2017, 4:57:16 AM12/13/17

to cas-...@apereo.org

Is that a suspicious population of a list with comma separated values in string containing an implicit list instead of with an explicit list of strings? Or is it really meant to be comma separated values in string?

Sent from my iPhone

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/937867729.1173640.1513155605101.JavaMail.zimbra%40univ-avignon.fr.

Sebastien BEAUDLOT

unread,

Dec 13, 2017, 5:01:20 AM12/13/17

to cas-user

Hi,

Syntax is based on the documentation example : https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html (Enforce Attributes)

--
Sébastien BEAUDLOT

Administrateur réseaux, téléphonie et flotte mobile

Direction Opérationnelle des Systèmes d'Information ( DOSI )
Pôle Infrastructures
Université d'Avignon et des Pays de Vaucluse

Tèl : 04.90.16.26.04
--

De: "Uxío" <upr...@madiva.com>
À: "cas-user" <cas-...@apereo.org>
Envoyé: Mercredi 13 Décembre 2017 10:57:01
Objet: Re: [cas-user] Restrincting service access based on uid

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com.

Sebastien BEAUDLOT

unread,

Dec 13, 2017, 5:02:22 AM12/13/17

to cas-user

Seems it is actually a problem with attributes resolution :

2017-12-13 10:56:45,286 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [user1]>
2017-12-13 10:56:45,287 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <[DefaultPrincipalAttributesRepository] will return the collection of attributes directly associated with the principal object which are [{}]>
2017-12-13 10:56:45,289 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Could not find principal [user1] in the repository so no attributes are returned.>

--
Sébastien BEAUDLOT

Administrateur réseaux, téléphonie et flotte mobile

Direction Opérationnelle des Systèmes d'Information ( DOSI )
Pôle Infrastructures
Université d'Avignon et des Pays de Vaucluse

Tèl : 04.90.16.26.04
--

De: "Sebastien BEAUDLOT" <sebastien...@univ-avignon.fr>
À: "cas-user" <cas-...@apereo.org>
Envoyé: Mercredi 13 Décembre 2017 11:01:17

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/45370903.1208787.1513159277001.JavaMail.zimbra%40univ-avignon.fr.

Sebastien BEAUDLOT

unread,

Dec 13, 2017, 9:01:18 AM12/13/17

to cas-user

You were right, the documentation show a bad way to write multiple values. The good way is : "user1", "user2", "user3"

I found the problem. uid need to be explicitely defined in cas.authn.ldap[0].principalAttributeList so it can be released and then used in service access strategy.

--
Sébastien BEAUDLOT

Administrateur réseaux, téléphonie et flotte mobile

Direction Opérationnelle des Systèmes d'Information ( DOSI )
Pôle Infrastructures
Université d'Avignon et des Pays de Vaucluse

Tèl : 04.90.16.26.04
--

De: "Uxío" <upr...@madiva.com>
À: "cas-user" <cas-...@apereo.org>
Envoyé: Mercredi 13 Décembre 2017 10:57:01
Objet: Re: [cas-user] Restrincting service access based on uid

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/42683A54-8390-495A-AA54-3F2E834BCB69%40madiva.com.

Reply all

Reply to author

Forward