Service Access Strategy - Unauthorized URL
The default strategy allows one to configure a service with the following properties:
Field | Description |
---|---|
unauthorizedRedirectUrl |
Optional url to redirect the flow in case service access is not allowed. Values can use the Spring Expression Language syntax. |
Service access is denied if the principal does not have a cn
attribute containing the value super-user
.
If so, the user will be redirected to https://www.github.com
instead.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"@class": "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "testId",
"name" : "testId",
"id": 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" : "https://www.github.com",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"cn" : [ "java.util.HashSet", [ "super-user" ] ]
}
}
}
Dynamic URLs
Service access is denied if the principal does not have a cn
attribute containing the
value super-user
. If so, the redirect URL will be dynamically determined based
on outcome of the specified Groovy script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"@class": "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "testId",
"name" : "testId",
"id": 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" : "file:/etc/cas/config/unauthz-redirect-url.groovy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"cn" : [ "java.util.HashSet", [ "super-user" ] ]
}
}
}
The script itself may take the following form:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import org.apereo.cas.*
import org.apereo.cas.web.support.*
import java.util.*
import java.net.*
import org.apereo.cas.authentication.*
URI run(final Object... args) {
def (registeredService,authentication,requestContext,applicationContext,logger) = args
def username = authentication.principal.attributes["cn"][0] as String
logger.info("Building URL for service {} and username {}", registeredService.name, username)
/**
* Stuff happens...
*/
return new URI("https://www.github.com");
}
The following parameters are provided to the script:
Field | Description |
---|---|
registeredService |
The object representing the matching registered service in the registry. |
authentication |
The Authentication object representing the active authentication transaction and principal. |
requestContext |
The object representing the Spring Webflow RequestContext . |
applicationContext |
The object representing the Spring ApplicationContext . |
logger |
The object responsible for issuing log messages such as logger.info(...) . |
To prepare CAS to support and integrate with Apache Groovy, please review this guide.