How to allow proxy callback with accessStrategy?

20 views
Skip to first unread message

Stewart

unread,
Dec 10, 2019, 7:11:35 PM12/10/19
to CAS Community

Newbie question here.  I have CAS 6.1.1 running with LDAP as a backend.  I've gotten proxy to work, but need to limit access to the service to members of a group. I’ve been trying to use “accessStrategy” to accomplish this. Unfortunately, I'm failing to understand how to both limit access to a service and allow the proxy callback to occur.  It seems obvious that I should find a way to allow access to the service, but how?

 

My service definition (currently) looks like this:

 

{

  /*

   *  Allow website access

   */

  "@class" :            "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" :         "^https://webmail.example.com.*",

  "name" :              "webmail",

  "id" :                1503935297,

  "evaluationOrder" :   89,

  "description" : " Webmail ",

  "proxyPolicy" : {

    "@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",

      "pattern" : "^(https?://webmail.example.com.*)"

  },

"accessStrategy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled" : true,

    "ssoEnabled" : true,

    "requiredAttributes" : {

      "@class" : "java.util.HashMap",

      "memberOf" : [ "java.util.HashSet", "CN=WebMailUsers,OU=Inet,DC=example,DC=com" ] ],

    }

  }

}

 

Which limits the initial login to the service to the users in the group, as expected.  It also does not permit the proxy callback (coming from an app with CAS.php implementing the proxy) to occur. I get errors such as:

 

[33m2019-12-10 15:46:12,717 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://webmail.example.com/?_action=caslogin] because it is not authorized for use by [https://webmail.example.com/?_action=pgtcallback].>

[[32m2019-12-10 15:46:12,718 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: https://webmail.example.com?_action=pgtcallback

WHAT: [result=Service Access Denied,requiredAttributes={memberOf=[CN=WebMailUsers,OU=Inet,DC=example,DC=com]}]

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Dec 10 15:46:12 PST 2019

CLIENT IP ADDRESS: 10.10.77.70

SERVER IP ADDRESS: 10.10.77.100

=============================================================

 

How can I permit access to this service for the proxy callback, while still limiting access to users in the webmail group?

Reply all
Reply to author
Forward
0 new messages