Unauthorized URL conditional on enforced attributes?
28 views
Skip to first unread message
Baron Fujimoto
Jul 4, 2023, 12:23:23 AM7/4/23
to CAS Community
When using Attribute Based Access Control (ABAC) in a service access strategy, is there a way to conditionally specify the unauthorized URL to redirect to depending on the failure to satisfy a particular attribute requirement?
The Unauthorized URL documentation suggests perhaps this could be done with a dynamic URL via a Groovy script? But it's not really clear to me how, assuming this is possible, you would actually do so in the script?
E.g., given something like:
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"name" : "Conditional_Unauthorized_URL",
"serviceId" : "^https://example\\.edu",
"description" : "Unauthorized URL depends on which ABAC condition fails",
"id" : 20230703153748,
"evaluationOrder" : 10,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" : "file:/etc/cas/config/unauthz-redirect-url.groovy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ],
"attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ],
}
}
}
"@class" : "org.apereo.cas.services.CasRegisteredService",
"name" : "Conditional_Unauthorized_URL",
"serviceId" : "^https://example\\.edu",
"description" : "Unauthorized URL depends on which ABAC condition fails",
"id" : 20230703153748,
"evaluationOrder" : 10,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" : "file:/etc/cas/config/unauthz-redirect-url.groovy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ],
"attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ],
}
}
}
If attr_1 is not required_attr_1_val then set unauthorizedRedirectUrl to https://www.example.edu/unauthz-redirect_attr_1.html
If attr_2 is not required_attr_1_val then set unauthorizedRedirectUrl to https://www.example.edu/unauthz-redirect_attr_2.html
If this can be done via the Groovy script, then presumably it would also allow you to set the precedence of the required ABAC conditions in its logic.
Can anyone provide an example of this?
References:
- <https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html#enforce-attributes>
We're using CAS 6.6.x
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
Ray Bon
Jul 4, 2023, 12:56:56 PM7/4/23
to cas-...@apereo.org
Baron,
There may be something in the fawnoos blog https://fawnoos.com/blog/
Ray
On Mon, 2023-07-03 at 15:48 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Baron Fujimoto
Jul 5, 2023, 4:56:10 PM7/5/23
to cas-...@apereo.org
Thanks, for the pointer. I did find this fairly old Fawnoos article <https://fawnoos.com/2018/04/23/cas-access-strategy-url-redirects/>, but it seems to describe a strategy that is perhaps even more low level that the Groovy script suggested in the more current documentation.
One aspect I have found a little frustrating is just knowing what is available to work with in such a script. The Unauthorized URL doc mentions that the following parameters are provided to the script: registeredService, requestContext, applicationContext, and logger but I'm not sure where I can find more information about those objects themselves. Do we need to consult more generic Spring Webflow docs for the methods available to requestContext and applicationContext, and whether they would contain the desired info re the specific requiredAttributes conditions that were not met?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/898c2926c7f32241ee59f723ee7903e69b764e5d.camel%40uvic.ca.
Ray Bon
Jul 5, 2023, 7:07:40 PM7/5/23
to cas-...@apereo.org
Baron,
I have used the cas source and spring api docs to understand see what these objects hold.
They are all complex objects and I print their contents to the logs to find what is available (it is a tedious process).
Ray
This is from one of our scripts:
class MfaSelector {
def String run(final Object... args) {
def authentication = args[0]
def registeredService = args[1]
def httpRequest = args[2]
def service = args[3]
def applicationContext = args[4]
def logger = args[5]
// logger.error('principal: ' + authentication.principal)
// logger.error('service: ' + service)
...
But the types and number of args may change based on context. The above differs from https://apereo.github.io/cas/6.5.x/authentication/Groovy-Authentication.html
If you have a java class you can do something like this:
// printMap("attributes Map", requestContext.getAttributes().asMap());
// printMap("conversation Map", requestContext.getConversationScope().asMap());
// printMap("flash Map", requestContext.getFlashScope().asMap());
// printMap("flow scope Map", requestContext.getFlowScope().asMap());
// printMap("request Map", requestContext.getRequestScope().asMap());
// printMap("parameter Map", requestContext.getRequestParameters().asMap());
private void printMap(String identifier, Map<String, Object> mam) {
LOGGER.trace(identifier + ": [" + mam.keySet().size() + "]:");
for (String key : mam.keySet()) {
LOGGER.trace("\t" + key + " : " + mam.get(key));
Reply all
Reply to author
Forward
0 new messages