Skip to content
This repository has been archived by the owner on Nov 3, 2017. It is now read-only.

Role Based Services Authorization

Jump to bottom
Misagh Moayyed edited this page Sep 27, 2013 · 17 revisions

Since version 1.5 there is a facility in cas-addons that adds a coarse-grained, role-based authorization capability to CAS server. It is based on custom generic set of authorization attributes configured for each registered service (which could mean anything e.g. roles, etc.) and a Spring Web Flow action state implementation which compares this set with a set of attributes of authenticated principals and makes authorization decisions based on these two sets. If authorization fails, then login flow is halted and service ticket is not vended.

The service authorization action state is further parameterized with a strategy RegisteredServiceAuthorizer API and a default implmentation is provided out of the box (which simply compares intersection of two sets of attributes and if any one value is matched, authorizes further processing)

Configuration

Make sure that appropriate attribute repository is configured and linked to principal resolver(s).

In servicesRegistry.conf

For each service configure authzAttributes and unauthorizedRedirectUrl within extraAttributes:

{
    "services":[
        {
            "id":1,
            "serviceId":"https://my.super.service.example.com",
	    "extraAttributes": {				
	        "authzAttributes":{
	            "memberOf":["group1", "group2"]
	        },
		"unauthorizedRedirectUrl":"https://unauthorized.example.com"
	     }            
        }
    ]
}

The authorization rules, as is shown above, are defined per service inside the service registry config file. The authzAttributes defines the list of attribute names and values that are required for the principal to carry, in order to have access to the application. This means that a service ticket is only granted for the application is the principal is ascribed to the given set of attributes whose values must match the given configuration.

If the authorization fails, the user is redirected to unauthorizedRedirectUrl where guidance and instructions may be presented.

The default behavior uses a simple intersection of both sets of service attributes and principal attributes that are resolved. It then authorizes further processing if any of the values from this intersection are available to the principal. So for instance, the above configuration notes that:

In order for an authenticated principal to be granted access to the application whose url matches the serviceId above, it should have the attribute memberOf whose value must either be group1 OR group2. Otherwise, the principal is redirected to https://unauthorized.example.com.

In serviceAuthorizationContext.xml

In WEB-INF/spring-configuration/serviceAuthorizationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">

    <cas:service-authorization-action/>

</beans>

if you wish to plug in a different type of authorizer, just define a bean implementing RegisteredServiceAuthorizer interface and set the authorizer attribute:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">

    <bean id="myAuthorizer" class="com.mycompany.MyCustomAuthorizer"/>

    <cas:service-authorization-action authorizer="myAuthorizer"/>

</beans>

In WEB-INF/login-webflow.xml 

    ...

    <action-state id="generateServiceTicket">
        <evaluate expression="serviceAuthorizationAction"/>
        <evaluate expression="generateServiceTicketAction" />
        <transition on="success" to ="warn" />
        <transition on="error" to="generateLoginTicket" />
        <transition on="gateway" to="gatewayServicesManagementCheck" />
    </action-state>

    ...

    <end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>

    <global-transitions>
        ... 
        <transition to="serviceAuthorizationFailureRedirectView" on-exception="net.unicon.cas.addons.serviceregistry.services.authorization.RoleBasedServiceAuthorizationException"/>
    </global-transitions>

    <bean-import resource="spring-configuration/serviceAuthorizationContext.xml"/>

See also

Clone this wiki locally