CAS 5.3.9 Access Strategy Groovy script

[Debian HNT]

Hello guys,

I'm looking for a configuration of Access Strategy with a Groovy Script.

I'd like to set some attributes required and redirection url.

For example if the account attribute = Active, i'll be able to join the service

but

if the account attribute = blocked, i'll be redirect to https://blocked.acc.html

or

if the account attribute = waiting, i'll be redirect to https://waiting.acc/html

Can someone help me?

best regards,

[Ray Bon]

Debian,

In doPrincipal..., you are using a variable called 'map' but the variable is 'attributes'.

Ray

On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:

Hello guys,

I'm still trying to configure a groovy script for access strategy but I have some errors

Here's my access-strategy.groovy

import org.apereo.cas.services.*
import java.util.*

class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy {
    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

    @Override
    boolean isServiceAccessAllowedForSso() {
            return true
    }

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) {
    for (Map.Entry<String, Object> entry : map.entrySet()){
                if (entry.getKey().equals(principal)){
                        return true
                }
        }
        return false
    }
    }

    @Override
    java.net.URI getUnauthorizedRedirectUrl(){
    return "https://blocked-acc.html"
    }
}

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@2357e4bc in state 'null' of flow 'login' -- action execution attributes were 'map[[empty]]'

Caused by: java.lang.NullPointerException

	at org.apereo.cas.services.GroovyRegisteredServiceAccessStrategy.isServiceAccessAllowed(GroovyRegisteredServiceAccessStrategy.java:49)

	at org.apereo.cas.web.flow.login.InitialFlowSetupAction.configureWebflowContextForService(InitialFlowSetupAction.java:62)

	at org.apereo.cas.web.flow.login.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:51)

	at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

	at sun.reflect.GeneratedMethodAccessor447.invoke(Unknown Source)

	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

	at java.lang.reflect.Method.invoke(Method.java:498)

	at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)

	at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)

	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)

	at com.sun.proxy.$Proxy376.execute(Unknown Source)

	at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

	... 100 more

I'd like to set some attributes required and redirection url.

For example if the account attribute = Active, i'll be able to join the service

but

if the account attribute = blocked, i'll be redirect to https://blocked-acc.html

or

if the account attribute = waiting, i'll be redirect to https://waiting-acc/html

I'm new to groovy and I dont understand the issue, May I have some help pls?

Regards,

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

[Debian HNT]

Ray,

Thanks for your answer!

I've changed the variable to attributes but it doesnt repair the issue.

I dont understand how to set principal to my attribute : account and how to configure the map to active/blocked/waiting?

I'm not sure if I cleary understand the function...

Thank u in advance...

[Ray Bon]

Debian,

I should have looked closer at your method logic.

From the method name I suspect that method checks an attribute to determine service access. This is what you originally proposed 'attribute = Active'.

You will need to know what attributes you have. You can add logging to the method or increase logging in general:

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

I also have this in my logging config:

        <!-- DEBUG Skipping access strategy policy - when no attributes rules are defined

                   These required attributes [...] are examined against [...] before service can proceed - when attrubutes are defined   -->

        <AsyncLogger name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" level="warn"/>

Because CAS can perform the access / deny part of your requirements. Service configuration can set an attribute and a value that a user must have to allow access.

Since you are trying to modify the redirect URL (you have a third option), you might have to modify the web flow.

In general, for your method you will have a check like this

if ('Active' == map.get('attribute')) {return true}

Ray

[Debian HNT]

Ray,

Thanks a lot for your message, it's a little clearer for me now...

I'll try your suggestion...

Thank u again...

[Debian HNT]

Ray,

Excuse me for the inconvenience but I still have errors...

I've tried your syntax

import org.apereo.cas.services.*
import java.util.*

class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy {
    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

    @Override
    boolean isServiceAccessAllowedForSso() {
            return true
    }

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) {

        for (Map.Entry<String, Object> entry : attributes.entrySet()){
                if ('Active' == map.get('udlAccountStatus')) {return true}
                else
                {return false}
        }
    }

}

I have this error

2019-05-23 15:46:04,201 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No such property: map for class: GroovyRegisteredAccessStrategy>

groovy.lang.MissingPropertyException: No such property: map for class: GroovyRegisteredAccessStrategy

I've tried this

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) {

        for (Map.Entry<String, Object> entry : attributes.entrySet()){
                if ('Active' == entry.getKey('udlAccountStatus')) {return true}
                else
                {return false}
        }
    }

}

but I have this error

2019-05-23 15:38:52,086 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No signature of method: java.util.LinkedHashMap$Entry.getKey() is applicable for argument types: (java.lang.String) values: [udlAccountStatus]

Possible solutions: getKey(), getAt(java.lang.String), notify(), grep(), every(), every(groovy.lang.Closure)>

When I try to use the Possible solutions with getKey()

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attributes) {

        for (Map.Entry<String, Object> entry : attributes.entrySet()){
                if ('Active' == getKey('udlAccountStatus')) {return true}
                else
                {return false}
        }
    }

}

I have this error

2019-05-23 15:45:03,124 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No signature of method: GroovyRegisteredAccessStrategy.getKey() is applicable for argument types: (java.lang.String) values: [udlAccountStatus]
Possible solutions: getAt(java.lang.String), notify(), getOrder(), grep(), every(), every(groovy.lang.Closure)>

any suggestions?

Thanks in advance...

[Ray Bon]

Debian,

Skip the for loop. If you know the attribute key, check it directly (sorry about the use of map in my previous example):

if ('Active' == attributes.get('udlAccountStatus'))

Also, from a programming perspective, entrySet returns a Set<Map.Entry<String, Object>>.

Ray

[Debian HNT]

Hello Ray,

Thanks for your answer, the conf seems to be ok, I can access to the log in page of the service but when I try to connect with my ID, the access is denied.

Before using groovy script I was able to access the service... I've checked my admusers.properties and my account is set to ROLE_ADMIN

The boolean isServiceAccessAllowed is "return true"

class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy {
    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

Thanks in advance

[Ray Bon]

Debian,

When you say 'access is denied', is that a message that CAS is displaying or is that your service (admusers.properties sounds like your service)?

Check CAS logs to see what is happening (you may need to add logging to you custom code).

Ray

[Debian HNT]

Hi Ray,

It is a message that CAS is displaying "Service access denied due to missing privileges."

Here's the logs

2019-05-27 13:02:15,646 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://castete.univ.com/aide/blocked.html]>
2019-05-27 13:02:53,173 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student.stu].>
2019-05-27 13:02:53,174 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 27 13:02:53 CEST 2019

I feel like the code doesnt work because my student.stu has his udlAccountStatus to Active so I should access to the service?
Can you explain me the "String principal"? not sure if I understand correctly...

thanks for your time,

[Ray Bon]

Debian,

return new URI('https...

Ray

On Sun, 2019-05-26 at 23:57 -0700, Debian HNT wrote:

Hi Ray,

It s a message that CAS is displaying "Service access denied due to missing privileges."

heres the log :

2019-05-27 08:23:02,532 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].>
2019-05-27 08:23:02,533 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 27 08:23:02 CEST 2019

I've tried to add getUnauthorizedRedirectUrl

   @Override
   java.net.URI getUnauthorizedRedirectUrl() {
   return 'https://castete.univ.com/blocked.html'
   }

but CAS return this error

Caused by: org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'https://castete.univ.com/blocked.html' with class 'java.lang.String' to class 'java.net.URI'

thanks you for your time..

[Ray Bon]

Debian,

'Principal' is what the logged in user is called. Think of it as a box containing id, attributes, etc.

Ray

[Debian HNT]

Hi Ray,

Thanks for your response and idea, I managed to make it work !

 Best  regards,        

[Debian HNT]

Hi Ray,

I'm trying to implement dynamic url redirect, here's my code :

import org.apereo.cas.services.*
import java.util.*
import java.net.URI

class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy {
    final String accountStatus

    @Override
    boolean isServiceAccessAllowed() {
            return true
    }

    @Override
    boolean isServiceAccessAllowedForSso() {
            return true
    }

    @Override

    boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attribu$
         if(attributes.get('udlAccountStatus').contains('Active')) {
                this.accountStatus == 'Active'
                return true
         } else if (attributes.get('udlAccountStatus').contains('Waiting')) {
                this.accountStatus == 'Waiting'
                return false
         } else if (attributes.get('udlAccountStatus').contains('Blocked')) {
                this.accountStatus == 'Blocked'
                return false

         } else {
                return false
         }
   }

   @Override
   java.net.URI getUnauthorizedRedirectUrl() {
        if (this.accountStatus == 'Blocked') {
                return new URI('https://cas-univ.com/blocked.html')
        } else if (this.accountStatus == 'Waiting') {
                return new URI('https://cas-univ.com/waiting.html')
        }
   }
}

For Active account it works, but when I try waiting or blocked account, my access  is denied (CAS message, no erros logs). I don't have a blocked/waiting account so I set my code like this to try :

    @Override
    boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attribu$
         if(attributes.get('udlAccountStatus').contains('Active')) {
                this.accountStatus == 'Waiting'
                return false
         } else if (attributes.get('udlAccountStatus').contains('Waiting)) {
                this.accountStatus == 'Waiting'
                return false
         } else if (attributes.get('udlAccountStatus').contains('Blocked')) {
                this.accountStatus == 'Blocked'
                return false

         } else {
                return false
         }
   }

   @Override
   java.net.URI getUnauthorizedRedirectUrl() {
        if (this.accountStatus == 'Blocked') {
                return new URI('https://cas-univ.com/blocked.html')
        } else if (this.accountStatus == 'Waiting') {
                return new URI('https://cas-univ.com/waiting.html')
        }
   }
}

any suggest? is my code correct?


Thanks in advance..

[Ray Bon]

Debian,

To know what is happening in your code, add logging statements!!!

If you modify your code, you have to remember to un-modify it. Too easy to forget a change and release to production.

I have not used groovy scripting in CAS. Can you write unit tests? This will let you know that your logic is correct.

Logging and unit tests can both be permanent in your code base. Logging can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour shows up.

If you are going to test runtime behaviour (different redirects) you should have need test users with appropriate attributes (at least 3 in your case). Or modify one user at the attribute store.

Testing is important! Make sure you have all the parts you need.

As far as why the code is not working, is it possible that getUnauthorizedRedirectUrl is called before doPrincipalAttributesAllowServiceAccess? You can check this with logging (easy way) or trace the method calls in CAS source (more challenging).

In getUnauthorizedRedirectUrl, there is no default case. What happens if it is neither 'Blocked' nor 'Waiting'?

Ray

[Debian HNT]

Ray,

Thanks a lot for your response.
If it is neither 'blocked' nor 'waiting' access should be granted

Debian,

[Debian HNT]

Ray,

In my log4j2.xml I have this

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

        <AsyncLogger name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" level="debug"/>

When access is granted I have this in my logs

8430:2019-06-03 14:13:39,963 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8431:2019-06-03 14:13:39,972 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [student1.stu]>
8432:2019-06-03 14:13:39,973 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes>
8433:2019-06-03 14:13:39,974 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]>
8434:2019-06-03 14:13:39,976 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [student1.stu]>
8435:2019-06-03 14:13:39,977 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu>
8436:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
8437:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
8438:2019-06-03 14:13:39,985 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
8439:2019-06-03 14:13:39,988 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
8440:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
8441:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
8442:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
8443:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8444:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>

8430:2019-06-03 14:13:39,963 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>
8431:2019-06-03 14:13:39,972 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [student1.stu]>
8432:2019-06-03 14:13:39,973 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes>
8433:2019-06-03 14:13:39,974 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]>
8434:2019-06-03 14:13:39,976 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [student1.stu]>
8435:2019-06-03 14:13:39,977 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]>
8436:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
8437:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
8438:2019-06-03 14:13:39,985 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
8439:2019-06-03 14:13:39,988 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
8440:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
8441:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
8442:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
8443:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...>

8444:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]>

But when I try to test my waiting/blocked acc access is denied. In my logs I just have ldaptive DEBUG

2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] - <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com>
2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null, trustManagers=null, hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://ldap.univ.com, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde], result=true, resultCode=SUCCESS, message=null, controls=null] for dn=uid=82853,ou=accounts,dc=univ,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu, context=null], returnAttributes=[udlAccountStatus, supannAliasLogin], controls=null]>
2019-06-03 14:50:45,675 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: Supplied credentials: [UsernamePasswordCredential(username=student1.stu)]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Jun 03 14:50:45 CEST 2019
CLIENT IP ADDRESS: 134.206.4.15
SERVER IP ADDRESS: 194.254.129.15
=============================================================

>
2019-06-03 14:50:45,677 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].>
2019-06-03 14:50:45,678 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Jun 03 14:50:45 CEST 2019
CLIENT IP ADDRESS: 134.206.4.15
SERVER IP ADDRESS: 194.254.129.15
=============================================================

Dont know if I have configured logs correctly because I dont see whats happening when access is denied...

thanks for your time...

Debian,

[Ray Bon]

Debian,

Add this to your log4j2.xml

<AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/>

replacing 'package' with the package of your class.

Add this as the first line of doPrincipalAttributesAllowServiceAccess method:

log.error("doPrincipalAttributesAllowServiceAccess: " + attributes.get('udlAccountStatus'))

Log level does not have to be 'error', but this way it will definitely show in the logs and 'should be' the only ERROR listed.

This way you will know when/if your method is called and the value of udlAccountStatus.

Ray

[Debian HNT]

Ray,

Theses lines do not return anything in my logs...

I thought my file wasnt up but it is because the ldaptive debug is generated...

I dunno whats happening

regards,

    return "<a href="https://blocked-acc.html" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fblocked-acc.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHD7CbubwHhlJVN3WQL6kjeh4nF7g';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fblocked-acc.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHD7CbubwHhlJVN3

[Debian HNT]

Ray,

UPDATE

 I wrote my own logs by redirecting to a file to see if this.accountStatus recovers the correct state

like this

   java.net.URI getUnauthorizedRedirectUrl() {
        if (this.accountStatus == 'Blocked') {

                File file = new File("/tmp/cas")
                file.append(this.accountStatus)

So in my toto file  I have the waiting status

====================================================

  GNU nano 2.7.4                                  File : /tmp/cas                                         

Waiting

====================================================

When Im trying to connect :

2019-06-04 11:42:20,415 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://cas-univ.com/waiting.html)]>

So it sounds good but the page doesnt redirect to the url and display "Application Not Authorized to Use CAS"

any suggestion?

Regards,

[Ray Bon]

Debian,

Is waiting.html protected by a CAS client?

The 'not authorized' message shows in CAS when an application redirects to CAS but is not in CAS services. Check your browser network traffic to see the redirects.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Debian HNT]

Ray,

waiting.html isnt protected by a CAS client..
I tried to register it as a CAS services with the cas management app but it doesnt change anything.

Network browser traffic display error 401.

it's weird, for the simple redirection it works the url is well displayed, but for the dynamic redirection it doesn't. In the logs we can see that we will be redirected but in reality not

Regards..

[Debian HNT]

Ray,
There is two states

1st connection : "Service access denied due to missing privileges"

2nd connection :"Application Not Authorized to Use CAS" + message log "CAS will be redirecting to... https://blocke.html"
I'm running out of ideas...

Regards,

[Ray Bon]

Debian,

Post all the relevant debug logs, ideally with logging from your code.

Need to see what CAS and your code is thinking, _and_ when it is executing.

Ray

-- 

[Ray Bon]

Set the logger to be more general:

<AsyncLogger name="org.apereo.cas.services" level="debug"/>

or better, set all of cas to log at debug:

<AsyncLogger name="org.apereo.cas" level="debug"/>

Try using logger.error.

See https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script

I am not sure about importing as I have not used groovy scripting.

It is important that your code writes to the log to capture the sequence of method calls.

Ray

On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote:

This line doesnt work, do I have to import some package?

log.error("doPrincipalAttributesAllowServiceAccess: " + attributes.get('udlAccountStatus'))

So I wrote this to exit the state of accountStatus

   java.net.URI getUnauthorizedRedirectUrl() {
        if (this.accountStatus == 'Blocked') {

                File file = new File("/tmp/cas")
                file.append(this.accountStatus)

this debug return nothing

<AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy" level="debug"/>

I don't have access to the server atm, I'll send u the rest of logs tomwr

Regards,

-- 

[Debian HNT]

Ray,

I think the problem comes from the registration of the url https://cas.univ.com/blocked.html to cas

I tried to redirect to a registered service like cas-management page and its worked.

So I tried to register https://cas.univ.com/help/blocked.html like that

{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://cas.univ.com/help(\\z|/.*)",
"name" : "blocked url",
"id" : 1559825188,
"description" : "Blocked URL"
}

but it doesnt work... here's the logs

>
2019-06-06 15:05:23,393 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://cas.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].>
2019-06-06 15:05:23,393 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: student1.stu
WHAT: [result=Service Access Denied,service=https://cas.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Jun 06 15:05:23 CEST 2019
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================

>
2019-06-06 15:05:23,394 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://cas.univ.com/help/blocked.html]>

2019-06-06 15:05:24,423 DEBUG [org.apereo.cas.util.scripting.ScriptingUtils] - <Preparing constructor arguments [[]] for resource [file [/etc/cas/config/access-strategy.groovy]]>

Is my registered service incorrectly configured?

Regards,,,

WHAT: [result=Service Access Denied,service=<a href="https://castete.univ.com/cas/sta.." rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fcastete.univ.com%2Fcas%2Fsta..\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFMrmnnfS23DGhW7lrC8IVAj736-A';return true;" onclick="this.href='https://www.googl

[Ray Bon]

Debian,

The service entry looks fine. Make sure the id value is unique and make sure the evaluation order allows it to be accessed, https://apereo.github.io/cas/6.0.x/services/Service-Management.html

The logs you provided do not have anything about not being able to access blocked.html

What happens after the 'constructor atguments' log line?

More logs are always better.

It could be that your service registry is not being picked up. Is the cas-management app on the cas.univ.com host?

You can see what services are being loaded:

        <!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO]

             DEBUG Adding registered service [service URL] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractServicesManager" level="debug" />

Ray

-- 

[Debian HNT]

Ray,

I think I understood the problem. I put some logs to retrieve state of accountStatus.

At the 1st connection the function doPrincipal has "Blocked"

Function 1 : Blocked //1st connection

Function 2 : Blocked //2nd connection
Function 1 : Blocked //2nd connection

but at the 2nd connection function getUnauthorizedRedirectUrl is executed before doPrincipal. So CAS dont have the attribute sate of doPrincipal, so Access is denied.
Is it possible to retrieve attribute in getUnauthorizedRedirectUrl ??

I hope I've explained the problem well...

Regards,

          &

[Ray Bon]

Debian,

If getUnauthorizedRedirectUrl is called before doPrincipal, that is CAS behaviour. It would be difficult to change.

You can customize the spring web flow. If you do the attribute check before the webflow redirects to the unauthorized URL, you should have the attributes and could change the value of the URL. See https://apereo.github.io/cas/6.0.x/webflow/Webflow-Customization-Extensions.html

Ray

-- 

[Debian HNT]

Ray,

I'd like to thank you for all your answers, but I think I'll give up the groovy script if I have to modify the webflow, because as it says on the documentation, it's going to be complicated for future updates...
Thank you again

Regards,

         &

[Ray Bon]

Debian,

The webflow can be modified dynamically (that is how all CAS features work). You create a few files and configuration in the overlay and your feature will automagically show up in the webflow.

I have a gist that can help with visualizing the webflow, https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74

How to use it is not very clear. In the next couple of weeks I plan to provide a more complete example as I upgrade to 6.1.

Ray

--