When using Attribute Based Access Control (ABAC) in a service access strategy, is there a way to conditionally specify the unauthorized URL to redirect to depending on the failure to satisfy a particular attribute requirement?
The Unauthorized URL documentation suggests perhaps this could be done with a dynamic URL via a Groovy script? But it's not really clear to me how, assuming this is possible, you would actually do so in the script? E.g., given something like: { "@class" : "org.apereo.cas.services.CasRegisteredService", "name" : "Conditional_Unauthorized_URL", "serviceId" : "^https://example\\.edu", "description" : "Unauthorized URL depends on which ABAC condition fails", "id" : 20230703153748, "evaluationOrder" : 10, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "unauthorizedRedirectUrl" : "file:/etc/cas/config/unauthz-redirect-url.groovy", "requiredAttributes" : { "@class" : "java.util.HashMap", "attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ], "attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ], } } } If attr_1 is not required_attr_1_val then set unauthorizedRedirectUrl to https://www.example.edu/unauthz-redirect_attr_1.html If attr_2 is not required_attr_1_val then set unauthorizedRedirectUrl to https://www.example.edu/unauthz-redirect_attr_2.html If this can be done via the Groovy script, then presumably it would also allow you to set the precedence of the required ABAC conditions in its logic. Can anyone provide an example of this? References: - < https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html#enforce-attributes > -< https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-URL.html#dynamic-urls > We're using CAS 6.6.x -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2y_p3sVXZ10ah5fkboxH71Jte1EedG9XJLBcH0cNd2PQ%40mail.gmail.com.