@Override @JsonIgnore public boolean isServiceAccessAllowed() { buildGroovyAccessStrategyInstanceIfNeeded(); return this.groovyStrategyInstance.isServiceAccessAllowed(); }
@Override public Map<String, Object> encodeAttributes(final Map<String, Object> attributes, final RegisteredService registeredService) { LOGGER.trace("Starting to encode attributes for release to service [{}]", registeredService); val newEncodedAttributes = new HashMap<String, Object>(attributes); val cachedAttributesToEncode = initialize(newEncodedAttributes); if (registeredService != null && registeredService.getAccessStrategy().isServiceAccessAllowed()) { encodeAttributesInternal(newEncodedAttributes, cachedAttributesToEncode, this.cipherExecutor, registeredService); LOGGER.debug("[{}] encoded attributes are available for release to [{}]: [{}]", newEncodedAttributes.size(), registeredService, newEncodedAttributes.keySet()); } else { LOGGER.debug("Service is not found/enabled in the service registry so no encoding has taken place."); } return newEncodedAttributes; }
@Override public boolean supports(final Set<AuthenticationHandler> handlers, final AuthenticationTransaction transaction) { val service = transaction.getService(); if (service != null) { val registeredService = this.servicesManager.findServiceBy(service); LOGGER.trace("Located registered service definition [{}] for this authentication transaction", registeredService); if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.warn("Service [{}] is not allowed to use SSO.", service); throw new UnauthorizedSsoServiceException(); } return !registeredService.getRequiredHandlers().isEmpty(); } return false; }
/** * Ensure service access is allowed. * * @param service the service * @param registeredService the registered service */ public static void ensureServiceAccessIsAllowed(final String service, final RegisteredService registeredService) { if (registeredService == null) { val msg = String.format("Unauthorized Service Access. Service [%s] is not found in service registry.", service); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { val msg = String.format("Unauthorized Service Access. Service [%s] is not enabled in service registry.", service); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!ensureServiceIsNotExpired(registeredService)) { val msg = String.format("Expired Service Access. Service [%s] has been expired", service); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_EXPIRED_SERVICE, msg); } }
/** * Ensure that the service is found and enabled in the service registry. * * @param registeredService the located entry in the registry * @param service authenticating service * @throws UnauthorizedServiceException if service is determined to be unauthorized */ private static void verifyRegisteredServiceProperties(final RegisteredService registeredService, final Service service) { if (registeredService == null) { val msg = String.format("Service [%s] is not found in service registry.", service.getId()); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { val msg = String.format("ServiceManagement: Unauthorized Service Access. " + "Service [%s] is not enabled in service registry.", service.getId()); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } }
/** * Gets registered service jwt secret. * * @param service the service * @param propName the prop name * @return the registered service jwt secret */ protected static String getRegisteredServiceJwtSecret(final RegisteredService service, final String propName) { if (service == null || !service.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.debug("Service is not defined/found or its access is disabled in the registry"); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } if (service.getProperties().containsKey(propName)) { final RegisteredServiceProperty propSigning = service.getProperties().get(propName); final String tokenSigningSecret = propSigning.getValue(); if (StringUtils.isNotBlank(tokenSigningSecret)) { LOGGER.debug("Found the secret value [{}] for service [{}]", propName, service.getServiceId()); return tokenSigningSecret; } } LOGGER.warn("Service [{}] does not define a property [{}] in the registry", service.getServiceId(), propName); return null; } }
/** * Gets registered service and verify. * * @param serviceId the service id * @return the registered service and verify */ protected SamlRegisteredService verifySamlRegisteredService(final String serviceId) { if (StringUtils.isBlank(serviceId)) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Could not verify/locate SAML registered service since no serviceId is provided"); } LOGGER.debug("Checking service access in CAS service registry for [{}]", serviceId); val registeredService = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(serviceId)); if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.warn("[{}] is not found in the registry or service access is denied. Ensure service is registered in service registry", serviceId); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } if (registeredService instanceof SamlRegisteredService) { val samlRegisteredService = (SamlRegisteredService) registeredService; LOGGER.debug("Located SAML service in the registry as [{}] with the metadata location of [{}]", samlRegisteredService.getServiceId(), samlRegisteredService.getMetadataLocation()); return samlRegisteredService; } LOGGER.error("CAS has found a match for service [{}] in registry but the match is not defined as a SAML service", serviceId); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); }
/** * Gets registered service jwt secret. * * @param service the service * @param propName the prop name * @return the registered service jwt secret */ protected String getRegisteredServiceJwtProperty(final RegisteredService service, final RegisteredServiceProperty.RegisteredServiceProperties propName) { if (service == null || !service.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.debug("Service is not defined/found or its access is disabled in the registry"); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } if (propName.isAssignedTo(service)) { return propName.getPropertyValue(service).getValue(); } LOGGER.warn("Service [{}] does not define a property [{}] in the registry", service.getServiceId(), propName); return null; }
if (rService == null || !rService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.warn("No registered service is found to match [{}] or access is denied. Using default theme [{}]", service, getDefaultThemeName()); return rememberThemeName(request);
@Override public boolean supports(final WebApplicationService singleLogoutService) { val selectedService = (WebApplicationService) this.authenticationRequestServiceSelectionStrategies.resolveService(singleLogoutService); val registeredService = this.servicesManager.findServiceBy(selectedService); if (registeredService != null && registeredService.getAccessStrategy().isServiceAccessAllowed() && registeredService.getLogoutType() != RegisteredServiceLogoutType.NONE) { return supportsInternal(singleLogoutService, registeredService); } return false; }
/** * Gets principal attributes. Will attempt to locate the principal * attribute repository from the context if one is defined to use * that instance to locate attributes. If none is available, * will use the default principal attributes. * * @param p the principal * @param service the service * @param registeredService the registered service * @return the principal attributes */ protected Map<String, Object> getPrincipalAttributesFromReleasePolicy(final Principal p, final Service service, final RegisteredService registeredService) { if (registeredService != null && registeredService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.debug("Located service [{}] in the registry. Attempting to resolve attributes for [{}]", registeredService, p.getId()); if (registeredService.getAttributeReleasePolicy() == null) { LOGGER.debug("No attribute release policy is defined for [{}]. Returning default principal attributes", service.getId()); return p.getAttributes(); } return registeredService.getAttributeReleasePolicy().getAttributes(p, service, registeredService); } LOGGER.debug("Could not locate service [{}] in the registry.", service.getId()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } }
@Override protected Event doExecute(final RequestContext context) throws Exception { final Service service = WebUtils.getService(context); final RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService == null) { final String msg = String.format("Service Management: Unauthorized Service Access. " + "Service [%s] does not match entries in service registry.", service.getId()); logger.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { final String msg = String.format("Service Management: Access to service [%s] " + "is disabled by the service registry.", service.getId()); logger.warn(msg); WebUtils.putUnauthorizedRedirectUrlIntoFlowScope(context, registeredService.getAccessStrategy().getUnauthorizedRedirectUrl()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } return success(); } }
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { final String msg = String.format("Service Management: Unauthorized Service Access. " + "Service [%s] is not allowed access via the service registry.", service.getId());
val notBeforeIssueInstant = ZonedDateTime.parse("2003-04-17T00:46:02Z"); val registeredService = servicesManager.findServiceBy(service); if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE);
if (registeredService != null && registeredService.getAccessStrategy().isServiceAccessAllowed()) { logger.debug("Placing registered service [{}] with id [{}] in context scope", registeredService.getServiceId(),
final RegisteredService rService = this.servicesManager.findServiceBy(webAppService); if (rService != null && rService.getAccessStrategy().isServiceAccessAllowed()) { context.getFlowScope().put("logoutRedirectUrl", service);