Baron,
I have used the cas source and spring api docs to understand see what these
objects hold.
They are all complex objects and I print their contents to the logs to find
what is available (it is a tedious process).
Ray
This is from one of our scripts:
class MfaSelector {
def String run(final Object... args) {
def authentication = args[0]
def registeredService = args[1]
def httpRequest = args[2]
def service = args[3]
def applicationContext = args[4]
def logger = args[5]
// logger.error('principal: ' + authentication.principal)
// logger.error('service: ' + service)
...
But the types and number of args may change based on context. The above differs
from
https://apereo.github.io/cas/6.5.x/authentication/Groovy-Authentication.html
If you have a java class you can do something like this:
// printMap("attributes Map", requestContext.getAttributes().asMap());
// printMap("conversation Map", requestContext.getConversationScope().asMap());
// printMap("flash Map", requestContext.getFlashScope().asMap());
// printMap("flow scope Map", requestContext.getFlowScope().asMap());
// printMap("request Map", requestContext.getRequestScope().asMap());
// printMap("parameter Map", requestContext.getRequestParameters().asMap());
private void printMap(String identifier, Map<String, Object> mam) {
LOGGER.trace(identifier + ": [" + mam.keySet().size() + "]:");
for (String key : mam.keySet()) {
LOGGER.trace("\t" + key + " : " + mam.get(key));
}
}
On Wed, 2023-07-05 at 09:45 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Thanks, for the pointer. I did find this fairly old Fawnoos article
<https://fawnoos.com/2018/04/23/cas-access-strategy-url-redirects/>, but it
seems to describe a strategy that is perhaps even more low level that the
Groovy script suggested in the more current documentation.
One aspect I have found a little frustrating is just knowing what is available
to work with in such a script. The Unauthorized URL doc mentions that the
following parameters are provided to the script: registeredService,
requestContext, applicationContext, and logger but I'm not sure where I can
find more information about those objects themselves. Do we need to consult
more generic Spring Webflow docs for the methods available to requestContext
and applicationContext, and whether they would contain the desired info re the
specific requiredAttributes conditions that were not met?
On Tue, Jul 4, 2023 at 6:56 AM Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>>
wrote:
Baron,
There may be something in the fawnoos blog
https://fawnoos.com/blog/<https://urldefense.com/v3/__https://fawnoos.com/blog/__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqATEr4quJ$>
Ray
On Mon, 2023-07-03 at 15:48 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
When using Attribute Based Access Control (ABAC) in a service access strategy,
is there a way to conditionally specify the unauthorized URL to redirect to
depending on the failure to satisfy a particular attribute requirement?
The Unauthorized URL documentation suggests perhaps this could be done with a
dynamic URL via a Groovy script? But it's not really clear to me how, assuming
this is possible, you would actually do so in the script?
E.g., given something like:
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"name" : "Conditional_Unauthorized_URL",
"serviceId" :
"^https://example<https://urldefense.com/v3/__https://example__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAXmPvBBk$>\\.edu",
"description" : "Unauthorized URL depends on which ABAC condition fails",
"id" : 20230703153748,
"evaluationOrder" : 10,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" :
"file:/etc/cas/config/unauthz-redirect-url.groovy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ],
"attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ],
}
}
}
If attr_1 is not required_attr_1_val then set unauthorizedRedirectUrl to
https://www.example.edu/unauthz-redirect_attr_1.html<https://urldefense.com/v3/__https://www.example.edu/unauthz-redirect_attr_1.html__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAYzn08tX$>
If attr_2 is not required_attr_1_val then set unauthorizedRedirectUrl to
https://www.example.edu/unauthz-redirect_attr_2.html<https://urldefense.com/v3/__https://www.example.edu/unauthz-redirect_attr_2.html__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAdzeQaeq$>
If this can be done via the Groovy script, then presumably it would also allow
you to set the precedence of the required ABAC conditions in its logic.
Can anyone provide an example of this?
References:
-
<https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html#enforce-attributes<https://urldefense.com/v3/__https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-ABAC.html*enforce-attributes__;Iw!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAUbwBAmb$>>
-<https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-URL.html#dynamic-urls<https://urldefense.com/v3/__https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-URL.html*dynamic-urls__;Iw!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAdiG4At2$>>
We're using CAS 6.6.x
--
Baron Fujimoto <ba...@hawaii.edu<mailto:ba...@hawaii.edu>> ::: UH Information
Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website:
https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAe4oaFpy$>
- Gitter Chatroom:
https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAZo7VivZ$>
- List Guidelines:
https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAWMj0DDI$>
- Contributions:
https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAbgLiVnB$>
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/898c2926c7f32241ee59f723ee7903e69b764e5d.camel%40uvic.ca<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/898c2926c7f32241ee59f723ee7903e69b764e5d.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAfd38BGN$>.
--
Baron Fujimoto <ba...@hawaii.edu<mailto:ba...@hawaii.edu>> ::: UH Information
Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d609dffe5d96c44c41a830cdc75e94c7d0de8aa5.camel%40uvic.ca.
