Set the logger to be more general: <AsyncLogger name="org.apereo.cas.services" level="debug"/>
or better, set all of cas to log at debug: <AsyncLogger name="org.apereo.cas" level="debug"/> Try using logger.error. See https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script I am not sure about importing as I have not used groovy scripting. It is important that your code writes to the log to capture the sequence of method calls. Ray On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote: This line doesnt work, do I have to import some package? log.error("doPrincipalAttributesAllowServiceAccess: " + attributes.get('udlAccountStatus')) So I wrote this to exit the state of accountStatus java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { File file = new File("/tmp/cas") file.append(this.accountStatus) this debug return nothing <AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy" level="debug"/> I don't have access to the server atm, I'll send u the rest of logs tomwr Regards, Debian, Post all the relevant debug logs, ideally with logging from your code. Need to see what CAS and your code is thinking, _and_ when it is executing. Ray On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote: Ray, There is two states 1st connection : "Service access denied due to missing privileges" 2nd connection :"Application Not Authorized to Use CAS" + message log "CAS will be redirecting to... https://blocke.html" I'm running out of ideas... Regards, Ray, waiting.html isnt protected by a CAS client.. I tried to register it as a CAS services with the cas management app but it doesnt change anything. Network browser traffic display error 401. it's weird, for the simple redirection it works the url is well displayed, but for the dynamic redirection it doesn't. In the logs we can see that we will be redirected but in reality not Regards.. Debian, Is waiting.html protected by a CAS client? The 'not authorized' message shows in CAS when an application redirects to CAS but is not in CAS services. Check your browser network traffic to see the redirects. Ray On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote: Ray, UPDATE I wrote my own logs by redirecting to a file to see if this.accountStatus recovers the correct state like this java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { File file = new File("/tmp/cas") file.append(this.accountStatus) So in my toto file I have the waiting status ==================================================== GNU nano 2.7.4 File : /tmp/cas Waiting ==================================================== When Im trying to connect : 2019-06-04 11:42:20,415 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://cas-univ.com/waiting.html)]> So it sounds good but the page doesnt redirect to the url and display "Application Not Authorized to Use CAS" any suggestion? Regards, Ray, Theses lines do not return anything in my logs... I thought my file wasnt up but it is because the ldaptive debug is generated... I dunno whats happening regards, Debian, Add this to your log4j2.xml <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/> replacing 'package' with the package of your class. Add this as the first line of doPrincipalAttributesAllowServiceAccess method: log.error("doPrincipalAttributesAllowServiceAccess: " + attributes.get('udlAccountStatus')) Log level does not have to be 'error', but this way it will definitely show in the logs and 'should be' the only ERROR listed. This way you will know when/if your method is called and the value of udlAccountStatus. Ray On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote: Ray, In my log4j2.xml I have this <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/> <AsyncLogger name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" level="debug"/> When access is granted I have this in my logs 8430:2019-06-03 14:13:39,963 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8431:2019-06-03 14:13:39,972 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [student1.stu]> 8432:2019-06-03 14:13:39,973 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes> 8433:2019-06-03 14:13:39,974 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]> 8434:2019-06-03 14:13:39,976 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [student1.stu]> 8435:2019-06-03 14:13:39,977 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu> 8436:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes> 8437:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes> 8438:2019-06-03 14:13:39,985 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any> 8439:2019-06-03 14:13:39,988 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]> 8440:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]> 8441:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes> 8442:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes> 8443:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8444:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> 8430:2019-06-03 14:13:39,963 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8431:2019-06-03 14:13:39,972 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [student1.stu]> 8432:2019-06-03 14:13:39,973 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes> 8433:2019-06-03 14:13:39,974 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]> 8434:2019-06-03 14:13:39,976 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [student1.stu]> 8435:2019-06-03 14:13:39,977 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for [student1.stu]> 8436:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes> 8437:2019-06-03 14:13:39,984 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes> 8438:2019-06-03 14:13:39,985 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any> 8439:2019-06-03 14:13:39,988 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]> 8440:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]> 8441:2019-06-03 14:13:39,993 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes> 8442:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes> 8443:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [student1.stu] accessing service [https://castete.univ.com/cas/status/dashboard] defined by registered service [^https://castete.univ.com/cas/status/dashboard(\z|/.*)]...> 8444:2019-06-03 14:13:39,994 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> But when I try to test my waiting/blocked acc access is denied. In my logs I just have ldaptive DEBUG 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] - <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com> 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap://ldap.univ.com<http://ldap.univ.com>, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null, trustManagers=null, hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap://ldap.univ.com<http://ldap.univ.com>, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde], result=true, resultCode=SUCCESS, message=null, controls=null] for dn=uid=82853,ou=accounts,dc=univ,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu, context=null], returnAttributes=[udlAccountStatus, supannAliasLogin], controls=null]> 2019-06-03 14:50:45,675 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: student1.stu WHAT: Supplied credentials: [UsernamePasswordCredential(username=student1.stu)] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Jun 03 14:50:45 CEST 2019 CLIENT IP ADDRESS: 134.206.4.15 SERVER IP ADDRESS: 194.254.129.15 ============================================================= > 2019-06-03 14:50:45,677 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student1.stu].> 2019-06-03 14:50:45,678 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: student1.stu WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student1.stu]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Mon Jun 03 14:50:45 CEST 2019 CLIENT IP ADDRESS: 134.206.4.15 SERVER IP ADDRESS: 194.254.129.15 ============================================================= Dont know if I have configured logs correctly because I dont see whats happening when access is denied... thanks for your time... Debian, Ray, Thanks a lot for your response. If it is neither 'blocked' nor 'waiting' access should be granted Debian, Debian, To know what is happening in your code, add logging statements!!! If you modify your code, you have to remember to un-modify it. Too easy to forget a change and release to production. I have not used groovy scripting in CAS. Can you write unit tests? This will let you know that your logic is correct. Logging and unit tests can both be permanent in your code base. Logging can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour shows up. If you are going to test runtime behaviour (different redirects) you should have need test users with appropriate attributes (at least 3 in your case). Or modify one user at the attribute store. Testing is important! Make sure you have all the parts you need. As far as why the code is not working, is it possible that getUnauthorizedRedirectUrl is called before doPrincipalAttributesAllowServiceAccess? You can check this with logging (easy way) or trace the method calls in CAS source (more challenging). In getUnauthorizedRedirectUrl, there is no default case. What happens if it is neither 'Blocked' nor 'Waiting'? Ray On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote: Hi Ray, I'm trying to implement dynamic url redirect, here's my code : import org.apereo.cas.services.* import java.util.* import java.net.URI class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy { final String accountStatus @Override boolean isServiceAccessAllowed() { return true } @Override boolean isServiceAccessAllowedForSso() { return true } @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attribu$ if(attributes.get('udlAccountStatus').contains('Active')) { this.accountStatus == 'Active' return true } else if (attributes.get('udlAccountStatus').contains('Waiting')) { this.accountStatus == 'Waiting' return false } else if (attributes.get('udlAccountStatus').contains('Blocked')) { this.accountStatus == 'Blocked' return false } else { return false } } @Override java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { return new URI('https://cas-univ.com/blocked.html') } else if (this.accountStatus == 'Waiting') { return new URI('https://cas-univ.com/waiting.html') } } } For Active account it works, but when I try waiting or blocked account, my access is denied (CAS message, no erros logs). I don't have a blocked/waiting account so I set my code like this to try : @Override boolean doPrincipalAttributesAllowServiceAccess(String principal, Map<String, Object> attribu$ if(attributes.get('udlAccountStatus').contains('Active')) { this.accountStatus == 'Waiting' return false } else if (attributes.get('udlAccountStatus').contains('Waiting)) { this.accountStatus == 'Waiting' return false } else if (attributes.get('udlAccountStatus').contains('Blocked')) { this.accountStatus == 'Blocked' return false } else { return false } } @Override java.net.URI getUnauthorizedRedirectUrl() { if (this.accountStatus == 'Blocked') { return new URI('https://cas-univ.com/blocked.html') } else if (this.accountStatus == 'Waiting') { return new URI('https://cas-univ.com/waiting.html') } } } any suggest? is my code correct? Thanks in advance.. Hi Ray, Thanks for your response and idea, I managed to make it work ! Best regards, Debian, 'Principal' is what the logged in user is called. Think of it as a box containing id, attributes, etc. Ray On Mon, 2019-05-27 at 04:31 -0700, Debian HNT wrote: Hi Ray, It is a message that CAS is displaying "Service access denied due to missing privileges." Here's the logs 2019-05-27 13:02:15,646 WARN [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - <Unauthorized service access for principal; CAS will be redirecting to [https://castete.univ.com/aide/blocked.html]> 2019-05-27 13:02:53,173 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [https://castete.univ.com/cas/status/dashboard] because it is not authorized for use by [student.stu].> 2019-05-27 13:02:53,174 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Denied,service=https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student.stu, attributes={udlAccountStatus=[Active], supannAliasLogin=[student.stu]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Mon May 27 13:02:53 CEST 2019 I feel like the code doesnt work because my student.stu has his udlAccountStatus to Active so I should access to the service? Can you explain me the "String principal"? not sure if I understand correctly... thanks for your time, Debian, When you say 'access is denied', is that a message that CAS is displaying or is that your service (admusers.properties sounds like your service)? Check CAS logs to see what is happening (you may need to add logging to you custom code). Ray On Fri, 2019-05-24 at 00:01 -0700, Debian HNT wrote: Hello Ray, Thanks for your answer, the conf seems to be ok, I can access to the log in page of the service but when I try to connect with my ID, the access is denied. Before using groovy script I was able to access the service... I've checked my admusers.properties and my account is set to ROLE_ADMIN The boolean isServiceAccessAllowed is "return true" class GroovyRegisteredAccessStrategy extends DefaultRegisteredServiceAccessStrategy { @Override boolean isServiceAccessAllowed() { return true } Thanks in advance Debian, Skip the for loop. If you know the attribute key, check it directly (sorry about the use of map in my previous example): if ('Active' == attributes.get('udlAccountStatus')) Also, from a programming perspective, entrySet -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/38f6704e3ed6edf4b60bc99b074c06a1a72aea57.camel%40uvic.ca.