WORKERS AHEAD!

You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.

Configuring Service Matching Strategy

Authentication requests that carry a client application identifier are compared against the service identifier that is assigned to a service definition. By default, the service identifier is treated as a regular expression pattern that needs to be properly encoded and defined for matching operation to successfully execute. This strategy can be defined on a per-service basis to allow for alternative options or a full strategy implementation that may want to take external factors and variables into account.

Usage

Note that you cannot whitelist an IP address of an application. You can only whitelist the application URL. The identifier of the application is almost always its URL; not its source or origin. In scenarios where an application might present the same IP address and multiple URLs, each URL would then needs to registered with CAS, or you may come up with a unifying pattern that captures all URL forms.

This is the default option that treats the serviceId as a regular expression. With this option, CAS tries to match the expression against the entire requested service identifier and implicitly adds a ^ at the start and $ at the end of the defined pattern, meaning it will not look for substring matches.

A sample JSON file follows:

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "https://.*",
  "name": "sample",
  "id": 1,
  "matchingStrategy": {
    "@class": "org.apereo.cas.services.FullRegexRegisteredServiceMatchingStrategy"
  }
}

This strategy treats the serviceId as a regular expression. With this option, CAS will look and allow for substring matches.

A sample JSON file follows:

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "\\d\\d\\d",
  "name": "sample",
  "id": 1,
  "matchingStrategy": {
    "@class": "org.apereo.cas.services.PartialRegexRegisteredServiceMatchingStrategy"
  }
}

For example, the above pattern will match against https://example123.com.

This strategy treats the serviceId as a literal text and will look for exact matches. This might be useful in scenarios where you may not wish to deal with encoding individual/special characters such as ? in the URL.

A sample JSON file follows:

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "https://example.com?key=value",
  "name": "sample",
  "id": 1,
  "matchingStrategy": {
    "@class": "org.apereo.cas.services.LiteralRegisteredServiceMatchingStrategy",
    "caseInsensitive": true
  }
}