service access strategies and required attributes

661 views
Skip to first unread message

King, Robert

unread,
Dec 4, 2020, 1:07:15 PM12/4/20
to cas-...@apereo.org

CAS 6.1 server

LDAP authentication + built in principal resolution

 

I am running into what I think is an inexperience issue with service access strategies.  I am attempting to use principal attributes to grant access to a service.

 

Service entry:

 

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://webappsqa.fqdn/castester/.*",

  "name" : "cas test",

  "id" : 1,

  "accessStrategy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled" : true,

    "ssoEnabled" : true,

    "requireAllAtrributes" : true,

    "requiredAttributes" :

    {

      "@class": "java.util.HashMap",

      "memberOf" : [ "java.util.HashSet", [ "cn=cas_admin,ou=groups,dc=***,dc=***"] ],

    },

    "rejectedAttributes" :

    {

       "@class": "java.util.LinkedHashMap"

    },

    "caseInsensitive": false

  },

}

 

When authenticating against the service I see the proper authentication and service access enforcement. 

 

=============================================================

WHO: robk

WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk, source=null, customFields={})]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

=============================================================

WHO: robk

WHAT: [result=Service Access Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, attributes={memberOf=[ cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

=============================================================

WHO: robk

WHAT: [result=Service Access Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, attributes={memberOf=[ cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

=============================================================

WHO: robk

WHAT: TGT-2-*****3DWzf1qfRI-login-poc

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

=============================================================

WHO: robk

WHAT: [result=Service Access Granted,service=https://webappsqa.fqdn/castester/...,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}]

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

=============================================================

WHO: robk

WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for https://webappsqa.fqdn/castester/

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

 

Then when the service attempts to validate the ST it seems to run into an issue where the principal does not have any attribute data.  I have highlighted the audit with the empty principal that I believe is the cause of the service ticket validation to fail.

 

=============================================================

WHO: audit:unknown

WHAT: [result=Service Access Denied,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, attributes={}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

=============================================================

WHO: audit:unknown

WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for https://webappsqa.fqdn/castester/

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Fri Dec 04 13:12:51 NST 2020

CLIENT IP ADDRESS: ***.***.***.***

SERVER IP ADDRESS: ***.***.***.***

=============================================================

 

I am unsure as to why the principal is empty for the service when it is validating the ST?   Any help as to what I am missing?

 

 

Ray Bon

unread,
Dec 4, 2020, 3:20:48 PM12/4/20
to cas-...@apereo.org
Robert,

Two different steps, two different configurations. Attributes for access may be different from attributes the service needs/wants.
See, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release.html, in particular, attribute release policy.

Ray


On Fri, 2020-12-04 at 18:07 +0000, King, Robert wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. 
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

King, Robert

unread,
Dec 4, 2020, 3:52:49 PM12/4/20
to cas-...@apereo.org

On a hunch, I tried turning on the attribute caching in the service entry and it fixed the immediate issue.

 

This still leaves me a little puzzled.  The documentation implies that the principal should have been cached with the length of the default SSO session.

 

Time to keep digging.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bddf1c004c8d4d1c8062e432a42c6fe4552633.camel%40uvic.ca.

Petr Bodnár

unread,
May 25, 2021, 9:49:49 AM5/25/21
to CAS Community, ro...@mun.ca
Hi there, I've just run into the very same issue.

After a thorough investigation, I believe this is a BUG introduced in CAS 6.1.0 and above, namely by this commit: r48e753d05d55 "Fix issue with surrogate auth detection; and ensured policy is consulted on validation". Before this commit, the access checking method ensurePrincipalAccessIsAllowedForService() was called just when creating a service ticket, which could be probably enough. Because why to check user's access once at ticket creation and then at ticket validation again?

Anyway, even when we decide to do the check also within ticket validation for whatever reason (?), I think it should be at least consistent with the check done at ticket creation. But as one can see, the main method DefaultCentralAuthenticationService.validateServiceTicket() now firstly filters user's attributes by a configured release policy, before passing them to the checking method. This is why we get this validation error: the default release policy is ReturnAllowedAttributeReleasePolicy with an empty set of attributes to be released by default!

=> So the current workaround seems to be either to use another policy for a service (like ReturnAllAttributeReleasePolicy), or to explicitly name the attributes that we need to check also in the release policy. I guess this has actually helped the OP (and not the attributes caching).

In short, the current CAS behavior goes against what Ray Bon writes above: "Two different steps, two different configurations. Attributes for access may be different from attributes the service needs/wants.".

Anyone willing to check this?

Petr Bodnár

unread,
Sep 23, 2024, 5:24:00 AM9/23/24
to CAS Community, Petr Bodnár, ro...@mun.ca
For whoever comes back to this issue: Probably thanks to commit ba0929c6ab31472, the issue seems to be resolved since CAS 6.5.0 -> attributes from the principal/authentication as well attributes from the release policy are merged before checking them in DefaultCentralAuthenticationService.validateServiceTicket().

Still, the question about the necessity to check the attributes BOTH within creation and validation of a service ticket remains unanswered...
Reply all
Reply to author
Forward
0 new messages