Ray, I think I understood the problem. I put some logs to retrieve state of accountStatus. At the 1st connection the function doPrincipal has "Blocked"
Function 1 : Blocked //1st connection Function 2 : Blocked //2nd connection Function 1 : Blocked //2nd connection but at the 2nd connection function getUnauthorizedRedirectUrl is executed before doPrincipal. So CAS dont have the attribute sate of doPrincipal, so Access is denied. Is it possible to retrieve attribute in getUnauthorizedRedirectUrl ?? I hope I've explained the problem well... Regards, Debian, > > The service entry looks fine. Make sure the id value is unique and make > sure the evaluation order allows it to be accessed, > https://apereo.github.io/cas/6.0.x/services/Service-Management.html > > The logs you provided do not have anything about not being able to access > blocked.html > What happens after the 'constructor atguments' log line? > > More logs are always better. > > It could be that your service registry is not being picked up. Is the > cas-management app on the cas.univ.com host? > > You can see what services are being loaded: > > <!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO] > DEBUG Adding registered service [service URL] --> > <AsyncLogger > name="org.apereo.cas.services.AbstractServicesManager" level="debug" /> > > Ray > > On Thu, 2019-06-06 at 06:40 -0700, Debian HNT wrote: > > Ray, > > I think the problem comes from the registration of the url > https://cas.univ.com/blocked.html to cas > <https://cas-univ.com/blocked.html> > I tried to redirect to a registered service like cas-management page and > its worked. > > So I tried to register https://cas.univ.com/help/blocked.html > <https://cas-univ.com/blocked.html> like that > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^https://cas.univ.com/help(\\z|/.*) > <https://cas-univ.com/help(%5C%5Cz%7C/.*)>", > "name" : "blocked url", > "id" : 1559825188, > "description" : "Blocked URL" > } > > but it doesnt work... here's the logs > > > > > 2019-06-06 15:05:23,393 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://cas.univ.com/cas/status/dashboard] > because it is not authorized for use by [student1.stu].> > 2019-06-06 15:05:23,393 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: [result=Service Access > Denied,service=https://cas.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, > > attributes={udlAccountStatus=[Active], > supannAliasLogin=[student1.stu]}),requiredAttributes={}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jun 06 15:05:23 CEST 2019 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > > > 2019-06-06 15:05:23,394 WARN > [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - > <Unauthorized service access for principal; CAS will be redirecting to [ > https://cas.univ.com/help/blocked.html]> > 2019-06-06 15:05:24,423 DEBUG > [org.apereo.cas.util.scripting.ScriptingUtils] - <Preparing constructor > arguments [[]] for resource [file [/etc/cas/config/access-strategy.groovy]]> > > Is my registered service incorrectly configured? > > Regards,,, > > Set the logger to be more general: > > <AsyncLogger name="org.apereo.cas.services" level="debug"/> > > or better, set all of cas to log at debug: > <AsyncLogger name="org.apereo.cas" level="debug"/> > > Try using logger.error. > See > https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#groovy-script > > I am not sure about importing as I have not used groovy scripting. > > It is important that your code writes to the log to capture the sequence > of method calls. > > Ray > > On Wed, 2019-06-05 at 12:22 -0700, Debian HNT wrote: > > This line doesnt work, do I have to import some package? > log.error("doPrincipalAttributesAllowServiceAccess: " + > attributes.get('udlAccountStatus')) > > > So I wrote this to exit the state of accountStatus > > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > File file = new File("/tmp/cas") > file.append(this.accountStatus) > > this debug return nothing > > <AsyncLogger name="org.apereo.cas.services.GroovyRegisteredAccessStrategy" > level="debug"/> > > I don't have access to the server atm, I'll send u the rest of logs tomwr > Regards, > > Debian, > > Post all the relevant debug logs, ideally with logging from your code. > > Need to see what CAS and your code is thinking, _and_ when it is executing. > > Ray > > On Wed, 2019-06-05 at 06:00 -0700, Debian HNT wrote: > > Ray, > There is two states > 1st connection : "Service access denied due to missing privileges" > 2nd connection :"Application Not Authorized to Use CAS" + message log > "CAS will be redirecting to... https://blocke.html"; > I'm running out of ideas... > > Regards, > > Ray, > > waiting.html isnt protected by a CAS client.. > I tried to register it as a CAS services with the cas management app but > it doesnt change anything. > > Network browser traffic display error 401. > it's weird, for the simple redirection it works the url is well displayed, > but for the dynamic redirection it doesn't. In the logs we can see that we > will be redirected but in reality not > > Regards.. > > > Debian, > > Is waiting.html protected by a CAS client? > > The 'not authorized' message shows in CAS when an application redirects to > CAS but is not in CAS services. Check your browser network traffic to see > the redirects. > > Ray > > On Tue, 2019-06-04 at 02:58 -0700, Debian HNT wrote: > > Ray, > > UPDATE > > I wrote my own logs by redirecting to a file to see if this.accountStatus > recovers the correct state > > like this > > > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > File file = new File("/tmp/cas") > file.append(this.accountStatus) > > So in my toto file I have the waiting status > ==================================================== > GNU nano 2.7.4 File : /tmp/cas > > > *Waiting* > > ==================================================== > > When Im trying to connect : > > 2019-06-04 11:42:20,415 WARN > [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - > <Unauthorized service access for principal; CAS will be redirecting to [ > https://cas-univ.com/waiting.html)]> > So it sounds good but the page doesnt redirect to the url and display > "Application Not Authorized to Use CAS" > > any suggestion? > > Regards, > > Ray, > > Theses lines do not return anything in my logs... > I thought my file wasnt up but it is because the ldaptive debug is > generated... > I dunno whats happening > > regards, > > Debian, > > Add this to your log4j2.xml > <AsyncLogger name="package.GroovyRegisteredAccessStrategy" level="debug"/> > > replacing 'package' with the package of your class. > > Add this as the first line of doPrincipalAttributesAllowServiceAccess > method: > log.error("doPrincipalAttributesAllowServiceAccess: " + > attributes.get('udlAccountStatus')) > > Log level does not have to be 'error', but this way it will definitely > show in the logs and 'should be' the only ERROR listed. > This way you will know when/if your method is called and the value of > udlAccountStatus. > > Ray > > > On Mon, 2019-06-03 at 06:00 -0700, Debian HNT wrote: > > Ray, > > In my log4j2.xml I have this > > <AsyncLogger > name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" > > level="debug"/> > <AsyncLogger > name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" > level="debug"/> > > When access is granted I have this in my logs > > 8430:2019-06-03 14:13:39,963 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Initiating attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8431:2019-06-03 14:13:39,972 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Locating principal attributes for [student1.stu]> > 8432:2019-06-03 14:13:39,973 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Using principal attribute repository > [DefaultPrincipalAttributesRepository()] to retrieve attributes> > 8433:2019-06-03 14:13:39,974 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Found principal attributes [{supannAliasLogin=[student1.stu], > udlAccountStatus=[Active]}] for [student1.stu]> > 8434:2019-06-03 14:13:39,976 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process > attributes for [student1.stu]> > 8435:2019-06-03 14:13:39,977 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for > [student1.stu> > 8436:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attempting to merge policy attributes and default attributes> > 8437:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Checking default attribute policy attributes> > 8438:2019-06-03 14:13:39,985 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Located application context. Retrieving default attributes for release, if > any> > 8439:2019-06-03 14:13:39,988 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes for release are: [[]]> > 8440:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes found to be released are [{}]> > 8441:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding default attributes first to the released set of attributes> > 8442:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding policy attributes to the released set of attributes> > 8443:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Finalizing attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8444:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Final collection of attributes allowed are: > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> > > > > 8430:2019-06-03 14:13:39,963 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Initiating attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8431:2019-06-03 14:13:39,972 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Locating principal attributes for [student1.stu]> > 8432:2019-06-03 14:13:39,973 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Using principal attribute repository > [DefaultPrincipalAttributesRepository()] to retrieve attributes> > 8433:2019-06-03 14:13:39,974 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Found principal attributes [{supannAliasLogin=[student1.stu], > udlAccountStatus=[Active]}] for [student1.stu]> > 8434:2019-06-03 14:13:39,976 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process > attributes for [student1.stu]> > 8435:2019-06-03 14:13:39,977 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}] for > [student1.stu]> > 8436:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Attempting to merge policy attributes and default attributes> > 8437:2019-06-03 14:13:39,984 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Checking default attribute policy attributes> > 8438:2019-06-03 14:13:39,985 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Located application context. Retrieving default attributes for release, if > any> > 8439:2019-06-03 14:13:39,988 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes for release are: [[]]> > 8440:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Default attributes found to be released are [{}]> > 8441:2019-06-03 14:13:39,993 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding default attributes first to the released set of attributes> > 8442:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Adding policy attributes to the released set of attributes> > 8443:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Finalizing attributes release phase for principal [student1.stu] accessing > service [https://castete.univ.com/cas/status/dashboard] defined by > registered service [^https://castete.univ.com/cas/status/dashboard > (\z|/.*)]...> > 8444:2019-06-03 14:13:39,994 DEBUG > [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - > <Final collection of attributes allowed are: > [{supannAliasLogin=[student1.stu], udlAccountStatus=[Active]}]> > > But when I try to test my waiting/blocked acc access is denied. In my logs > I just have ldaptive DEBUG > > 2019-06-03 14:50:45,673 INFO [org.ldaptive.auth.Authenticator] - > <Authentication succeeded for dn: uid=82853,ou=accounts,dc=univ,dc=com> > 2019-06-03 14:50:45,673 DEBUG [org.ldaptive.auth.Authenticator] - > <authenticate > response=[org.ldaptive.auth.AuthenticationHandlerResponse@1390045036::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1074313305::config=[org.ldaptive.ConnectionConfig@1599162410::ldapUrl=ldap:// > ldap.univ.com, connectTimeout=PT5S, responseTimeout=PT5S, > sslConfig=[org.ldaptive.ssl.SslConfig@1022689743::credentialConfig=null, > trustManagers=null, > hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@5afc0982, > hostnameVerifierConfig=null, enabledCipherSuites=null, > enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, > useStartTLS=false, > connectionInitializer=[org.ldaptive.BindConnectionInitializer@202489594::bindDn=uid=reverseproxy,ou=ldapusers,dc=univ,dc=com, > > bindSaslConfig=null, bindControls=null], > connectionStrategy=org.ldaptive.DefaultConnectionStrategy@59d4b74a], > providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@156261501::metadata=[ldapUrl=ldap:// > ldap.univ.com, count=1], > environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, > > com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, > java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, > classLoader=null, > providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1341079820::operationExceptionResultCodes=[PROTOCOL_ERROR, > > SERVER_DOWN], properties={}, > controlProcessor=org.ldaptive.provider.ControlProcessor@6a7e6832, > environment=null, tracePackets=null, removeDnUrls=true, > searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, > PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, > hostnameVerifier=null]], > providerConnection=org.ldaptive.provider.jndi.JndiConnection@390a5cde], > result=true, resultCode=SUCCESS, message=null, controls=null] for > dn=uid=82853,ou=accounts,dc=univ,dc=com with > request=[org.ldaptive.auth.AuthenticationRequest@1020927553::user=[org.ldaptive.auth.User@86711528::identifier=student1.stu, > > context=null], returnAttributes=[udlAccountStatus, supannAliasLogin], > controls=null]> > 2019-06-03 14:50:45,675 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: Supplied credentials: > [UsernamePasswordCredential(username=student1.stu)] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Mon Jun 03 14:50:45 CEST 2019 > CLIENT IP ADDRESS: 134.206.4.15 > SERVER IP ADDRESS: 194.254.129.15 > ============================================================= > > > > 2019-06-03 14:50:45,677 WARN > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot > grant access to service [https://castete.univ.com/cas/status/dashboard] > because it is not authorized for use by [student1.stu].> > 2019-06-03 14:50:45,678 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: student1.stu > WHAT: [result=Service Access Denied,service= > https://castete.univ.com/cas/sta...,principal=SimplePrincipal(id=student1.stu, > > attributes={udlAccountStatus=[Active], > supannAliasLogin=[student1.stu]}),requiredAttributes={}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Mon Jun 03 14:50:45 CEST 2019 > CLIENT IP ADDRESS: 134.206.4.15 > SERVER IP ADDRESS: 194.254.129.15 > ============================================================= > Dont know if I have configured logs correctly because I dont see whats > happening when access is denied... > > thanks for your time... > > Debian, > > > Ray, > > Thanks a lot for your response. > If it is neither 'blocked' nor 'waiting' access should be granted > > Debian, > > Debian, > > To know what is happening in your code, add logging statements!!! > > If you modify your code, you have to remember to un-modify it. Too easy to > forget a change and release to production. > > I have not used groovy scripting in CAS. Can you write unit tests? This > will let you know that your logic is correct. > Logging and unit tests can both be permanent in your code base. Logging > can be adjusted at runtime (log4j2.xml) in case an unexpected behaviour > shows up. > > If you are going to test runtime behaviour (different redirects) you should > have need test users with appropriate attributes (at least 3 in your > case). Or modify one user at the attribute store. > > Testing is important! Make sure you have all the parts you need. > > As far as why the code is not working, is it possible that > getUnauthorizedRedirectUrl is called before > doPrincipalAttributesAllowServiceAccess? You can check this with logging > (easy way) or trace the method calls in CAS source (more challenging). > > In getUnauthorizedRedirectUrl, there is no default case. What happens if > it is neither 'Blocked' nor 'Waiting'? > > Ray > > On Wed, 2019-05-29 at 01:37 -0700, Debian HNT wrote: > > Hi Ray, > > I'm trying to implement dynamic url redirect, here's my code : > > import org.apereo.cas.services.* > import java.util.* > import java.net.URI > > class GroovyRegisteredAccessStrategy extends > DefaultRegisteredServiceAccessStrategy { > final String accountStatus > > @Override > boolean isServiceAccessAllowed() { > return true > } > > @Override > boolean isServiceAccessAllowedForSso() { > return true > } > > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attribu$ > if(attributes.get('udlAccountStatus').contains('Active')) { > this.accountStatus == 'Active' > return true > } else if > (attributes.get('udlAccountStatus').contains('Waiting')) { > this.accountStatus == 'Waiting' > return false > } else if > (attributes.get('udlAccountStatus').contains('Blocked')) { > this.accountStatus == 'Blocked' > return false > > } else { > return false > } > } > > @Override > java.net.URI getUnauthorizedRedirectUrl() { > if (this.accountStatus == 'Blocked') { > return new URI('https://cas-univ.com/blocked.html') > } else if (this.accountStatus == 'Waiting') { > return new URI('https://cas-univ.com/waiting.html') > } > } > } > > For Active account it works, but when I try waiting or blocked account, my > access is denied (CAS message, no erros logs). I don't have a > blocked/waiting account so I set my code like this to try : > > @Override > boolean doPrincipalAttributesAllowServiceAccess(String principal, > Map<String, Object> attribu$ > if(attributes.get('udlAccountStatus').contains('Active')) { > this.accountStatus == 'Waiting' > return false > } else if (attributes.get('udlAccountStatus').contains('Waiting)) > { > this.accountStatus == 'Waiting' > return false > } else if > (attributes.get('udlAccountStatus').contains('Blocked')) { > this.accountStatus == 'Blocked' > return false > > } else { > & > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc885850-d4a8-498c-98f9-e66910e7354a%40apereo.org.
