Service Access Strategy - ABAC Activation Criteria
The ABAC strategy can be modified to conditionally activate the access strategy policy, and then optionally decide the final access strategy result if the strategy is determined to remain inactive.
You can implement the conditions using the following strategies.
-
The policy can be conditionally activated based on available principal attributes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "https://app.example.org", "name" : "Example", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "cn" : [ "java.util.HashSet", [ "admin" ] ] }, "activationCriteria": { "@class": "org.apereo.cas.services.AttributeBasedRegisteredServiceAccessStrategyActivationCriteria", "allowIfInactive": false, "operator": "AND", "requiredAttributes": { "@class" : "java.util.HashMap", "firstName": [ "java.util.ArrayList", [ "John", "Jon" ] ], "lastName": [ "java.util.ArrayList", [ "Holdoor", "Hodor" ] ] } } } }
In the above example, the access strategy is only activated if the current principal has a
lastName
attribute with valuesJon
orJohn
, AND has afirstName
attribute with valuesHoldoor
orHodor
. Theoperator
field can also be modified to useOR
.Note that if the access strategy fails to activate and must remain inactive, then access is denied via
allowIfInactive
. -
You can decide whether the access strategy should be activated using a Groovy script, that may be defined either inline or outsourced to an external Groovy script.
Below shows the option where you define the Groovy script directly within the body of the service definition:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "https://app.example.org", "name" : "Example", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "cn" : [ "java.util.HashSet", [ "admin" ] ] }, "activationCriteria": { "@class": "org.apereo.cas.services.GroovyRegisteredServiceAccessStrategyActivationCriteria", "groovyScript": "groovy { return accessRequest.principalId.startsWith('admin-') }", "allowIfInactive": true } } }
The
accessRequest
object allows one to define conditions based on the following attached properties:Code Description principalId
The identifier of the current principal after a successful authentication event. attributes
A Map
of attributes attached to the principal after a successful authentication event.service
The Service
object representing the current application request.registeredService
The registered service definition in CAS that is mapped to the Service
.Alternatively, you could also outsource the Groovy script to an external file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "https://app.example.org", "name" : "Example", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "cn" : [ "java.util.HashSet", [ "admin" ] ] }, "activationCriteria": { "@class": "org.apereo.cas.services.GroovyRegisteredServiceAccessStrategyActivationCriteria", "groovyScript": "file:///etc/cas/config/AccessStrategy.groovy", "allowIfInactive": true } } }
The script itself may be designed as:
1 2 3 4 5 6 7
import org.apereo.cas.services.* def run(Object[] args) { def (context,logger) = args logger.info("Checking ${context.principalId} - ${context.registeredService.name}") return true }
To prepare CAS to support and integrate with Apache Groovy, please review this guide.
-
You can also combine multiple activation criteria using a chaining setup:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "https://app.example.org", "name" : "Example", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "cn" : [ "java.util.HashSet", [ "admin" ] ] }, "activationCriteria": { "@class": "org.apereo.cas.services.ChainingRegisteredServiceAccessStrategyActivationCriteria", "conditions": [ "java.util.ArrayList", [ { "@class": "org.apereo.cas.services.AttributeBasedRegisteredServiceAccessStrategyActivationCriteria", "order": 1, "requiredAttributes": { "@class": "java.util.HashMap", "cn": [ "java.util.ArrayList", [ "name1", "name2" ]] } }, { "@class": "org.apereo.cas.services.GroovyRegisteredServiceAccessStrategyActivationCriteria", "order": 2, "groovyScript": "groovy { return accessRequest.principalId.startsWith('admin-') }" } ]], "operator": "AND" } } }