-
Notifications
You must be signed in to change notification settings - Fork 26
Role Based Services Authorization
Since version 1.5
there is a facility in cas-addons that adds a coarse-grained, role-based authorization capability to CAS server. It is based on custom generic set of authorization attributes configured for each registered service (which could mean anything e.g. roles, etc.) and a Spring Web Flow action state implementation which compares this set with a set of attributes of authenticated principals and makes authorization decisions based on these two sets. If authorization fails, then login flow is halted and service ticket is not vended.
The service authorization action state is further parameterized with a strategy RegisteredServiceAuthorizer
API and a default implmentation is provided out of the box (which simply compares intersection of two sets of attributes and if any one value is matched, authorizes further processing)
Make sure that appropriate attribute repository is configured and linked to principal resolver(s).
For each service configure authzAttributes
and unauthorizedRedirectUrl
within extraAttributes
:
{
"services":[
{
"id":1,
"serviceId":"https://my.super.service.example.com",
"extraAttributes": {
"authzAttributes":{
"memberOf":["group1", "group2"]
},
"unauthorizedRedirectUrl":"https://unauthorized.example.com"
}
}
]
}
The authorization rules, as is shown above, are defined per service inside the service registry config file. The authzAttributes
defines the list of attribute names and values that are required for the principal to carry, in order to have access to the application. This means that a service ticket is only granted for the application is the principal is ascribed to the given set of attributes whose values must match the given configuration.
If the authorization fails, the user is redirected to unauthorizedRedirectUrl
where guidance and instructions may be presented.
The default behavior uses a simple intersection of both sets of service attributes and principal attributes that are resolved. It then authorizes further processing if any of the values from this intersection are available to the principal. So for instance, the above configuration notes that:
In order for an authenticated principal to be granted access to the application whose url matches the serviceId
above, it should have the attribute memberOf
whose value must either be group1
OR group2
. Otherwise, the principal is redirected to https://unauthorized.example.com
.
In WEB-INF/spring-configuration/serviceAuthorizationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cas="http://unicon.net/schema/cas"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">
<cas:service-authorization-action/>
</beans>
if you wish to plug in a different type of authorizer, just define a bean implementing RegisteredServiceAuthorizer interface and set the authorizer
attribute:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cas="http://unicon.net/schema/cas"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">
<bean id="myAuthorizer" class="com.mycompany.MyCustomAuthorizer"/>
<cas:service-authorization-action authorizer="myAuthorizer"/>
</beans>
...
<action-state id="generateServiceTicket">
<evaluate expression="serviceAuthorizationAction"/>
<evaluate expression="generateServiceTicketAction" />
<transition on="success" to ="warn" />
<transition on="error" to="generateLoginTicket" />
<transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>
...
<end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>
<global-transitions>
...
<transition to="serviceAuthorizationFailureRedirectView" on-exception="net.unicon.cas.addons.serviceregistry.services.authorization.RoleBasedServiceAuthorizationException"/>
</global-transitions>
<bean-import resource="spring-configuration/serviceAuthorizationContext.xml"/>
- Recorded webinar about experience implementing this feature at Fordham, from which project this cas-addons code derives
- Slideware from Jasig-Sakai conference at which solution presented