Problem whith service access strategy
273 views
Skip to first unread message
Juan Carlos Giménez Moncada
Jun 15, 2016, 9:28:22 AM6/15/16
to CAS Community
Hi, i am CAS 4.1.6 and i want to enable access based on group
membership. I read the documentation
https://apereo.github.io/cas/4.1.x/installation/Configuring-Service-Access-Strategy.html
The configuration of service -----------------------------
{
"@class": "org.jasig.cas.services.RegexRegisteredService",
"id": 125,
"name": "www service",
"description": "Description of www service.",
"serviceId": "^http.*://.*",
"theme": "cas-theme-default",
"evaluationOrder": 125,
"logoutType": "BACK_CHANNEL",
"accessStrategy": {
"@class":
"org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": false,
"requiredAttributes": { "@class": "java.util.HashMap",
"listas": [ "java.util.HashSet", [ "group1, group3" ] ]
}
},
"usernameAttributeProvider": {
"@class":
"org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"attributeReleasePolicy": {
"@class": "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false,
"allowedAttributes": [
"java.util.ArrayList", [ "memberof" ]
]
}
}
After authentication the DEBUG log the user is not authorized
************************
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - <These
required attributes [{listas=[group1, group3]}] are examined against
[{memberof=[group1, group2, group3, group4, group5]}] before service can
proceed.>
[org.jasig.cas.util.RegexUtils] - <Pattern (group1, group3) is a valid
regex.>
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] -
<Principal is denied access as the required attributes for the
registered service are missing>
[org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement:
Cannot grant service ticket because Service [http://xxx.xxx.xxx/] is not
authorized for use by [x...@xxx.es].>
What is wrong.
Thanks for advance.
membership. I read the documentation
https://apereo.github.io/cas/4.1.x/installation/Configuring-Service-Access-Strategy.html
The configuration of service -----------------------------
{
"@class": "org.jasig.cas.services.RegexRegisteredService",
"id": 125,
"name": "www service",
"description": "Description of www service.",
"serviceId": "^http.*://.*",
"theme": "cas-theme-default",
"evaluationOrder": 125,
"logoutType": "BACK_CHANNEL",
"accessStrategy": {
"@class":
"org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": false,
"requiredAttributes": { "@class": "java.util.HashMap",
"listas": [ "java.util.HashSet", [ "group1, group3" ] ]
}
},
"usernameAttributeProvider": {
"@class":
"org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"attributeReleasePolicy": {
"@class": "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false,
"allowedAttributes": [
"java.util.ArrayList", [ "memberof" ]
]
}
}
After authentication the DEBUG log the user is not authorized
************************
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - <These
required attributes [{listas=[group1, group3]}] are examined against
[{memberof=[group1, group2, group3, group4, group5]}] before service can
proceed.>
[org.jasig.cas.util.RegexUtils] - <Pattern (group1, group3) is a valid
regex.>
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] -
<Principal is denied access as the required attributes for the
registered service are missing>
[org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement:
Cannot grant service ticket because Service [http://xxx.xxx.xxx/] is not
authorized for use by [x...@xxx.es].>
What is wrong.
Thanks for advance.
Dmitriy Kopylenko
Jun 15, 2016, 9:55:30 AM6/15/16
to Juan Carlos Giménez Moncada, CAS Community
Try this (notice 2 comma-separated string in the list literal there:
"requiredAttributes": { "@class": "java.util.HashMap",
"listas": [ "java.util.HashSet", [ “group1", "group3" ] ]
}
"listas": [ "java.util.HashSet", [ “group1", "group3" ] ]
}
On Jun 15, 2016, at 9:28 AM, Juan Carlos Giménez Moncada <mon...@um.es> wrote:"requiredAttributes": { "@class": "java.util.HashMap",
"listas": [ "java.util.HashSet", [ "group1, group3" ] ]
}
D.
Juan Carlos Giménez Moncada
Jun 15, 2016, 10:07:24 AM6/15/16
to CAS Community
Working perfect, for that is important to update the apereo doc.
Thanks :D
El 15/06/16 a las 15:55, Dmitriy Kopylenko escribió:
Thanks :D
El 15/06/16 a las 15:55, Dmitriy Kopylenko escribió:
> Try this (notice 2 comma-separated string in the list literal there:
>
> *"requiredAttributes": { "@class": "java.util.HashMap",
>
> "listas": [ "java.util.HashSet", [ “group1", "group3" ]]
> }*
>
>> On Jun 15, 2016, at 9:28 AM, Juan Carlos Giménez Moncada
>> On Jun 15, 2016, at 9:28 AM, Juan Carlos Giménez Moncada
Reply all
Reply to author
Forward
0 new messages