Fix for CAS-1019 (services with allowedToProxy=false able to obtain PTs from existing PGTs) #16
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications(); | ||
| if(authns.size() > 1) { | ||
| if (!registeredService.isAllowedToProxy()) { | ||
| log.warn("ServiceManagement: Service Attempted to Proxy, but is not allowed. Service: [" + service.getId() + "]"); |
There was a problem hiding this comment.
This log message might be even more helpful if it also logged the registeredService. That way if the service's not being permitted to proxy is a surprise, it's easier to determine what registration matched and caused the disallow.
There was a problem hiding this comment.
Will try to do that
There was a problem hiding this comment.
This is already being logged:
ServiceManagement: Service Attempted to Proxy, but is not allowed. Service: [http://otherserver/legacy/service]
Nothing to do here.
There was a problem hiding this comment.
I'm drawing a distinction between the service.getId(), which is the service URL parameter encountered at runtime, vs the registeredService, which has a name, a service identifier that's potentially a pattern that matched the service encountered at runtime, and a unique identifier that allows finding it in the registry. I'm suggesting that both the service and the registeredService should be included in the log message that a service (encountered at runtime) was not allowed to proxy (because of its registration), so that when reviewing this failure in the logs, it's even more readily apparent which registration matched and gave rise to the failure.
… to proxy to UnauthorizedProxyingException
mmoayyed
pushed a commit
that referenced
this pull request
Sep 6, 2017
* Upgrade to Angular front end code * Remove json-service-registry from build.gradle * Fixes for checkstlye * Fixed test for new updateOrder method * Added npm install and ng build to gradle build * Fixed Codacy complaints in tab.service.ts * Fixes for codacy bot and checkStyle * Fixes for checkStyleTest * Fixes for errors found by reviewers * Fixes for SamlServicesPanel * Fixed angular tests * Removed unused fields in form.ts Added angularTest task * Refactored Domain classes * Fixed Controller Unit Tests Fixed angular production build * Converted RegexRegisteredService * Converted Oauth, Oidc, SAML and WsFed * Used injectable Data object instead of @input attributes * Refactor string literals to Enums * Refactored and cleaned FormComponent * Changed form to use Material UI components * Cleaned up LogoutType errors Deleted Mappers * Added Metadata Expiration field to SamlClient * Moved Service Type to Basics screen Refacored OAuth,OIDC,SAML and WS Fed into their own tab * Mapping for RegisterdServiceView * Refactoring of Forms Clean up of Validation Set correct defaults for some values * Refactored Delete Modal to use MdDialog in separate template Refactored Services Screen to use Material UI * Background color * Mgmt issues * Merge branch 'master' of https://github.com/apereo/cas into mgmt-angular-json # Conflicts: # webapp-mgmt/cas-management-webapp-support/build.gradle * Merge branch 'master' of https://github.com/apereo/cas into mgmt-angular-json # Conflicts: # webapp-mgmt/cas-management-webapp-support/build.gradle * Fix for issue #3 - encryptUsername * Fix for issue #4 - enforce public key for credential and PGT release * Fix for issue #5 - Tab Labels * Fix for issue #6 - Change Service URL label and tooltip when SAML client is chosen * Updated Angular and Material libraries fixed issue #11 - Service property keys has been coded as an Autocomplete widget * fixed issue #7 - Changed OIDC Encryption options to be Autcomplete * Closes issue #12 - Pairwaise subjectId Fixes the width of text inputs * Closes issue #13 - Support Consent Policy * Closes issue #16 - Release Authentication Attributes Provides front-end for issue #14 - Surrogate Access strategy * Closes issue #18 - Add support for SAML skip options * Closes issue #19 - Add support for SAML2 EntityAttributes * Small refactor of <md-input-container> to <md-form-field> for latest Material update * Removal of Alert component in favor of Material Snackbar * Closes Issue #14 - Surrogate Access Strategy
tsschmidt
added a commit
to tsschmidt/cas
that referenced
this pull request
Sep 7, 2017
Provides front-end for issue apereo#14 - Surrogate Access strategy
mmoayyed
pushed a commit
that referenced
this pull request
Sep 7, 2017
* Upgrade to Angular front end code * Remove json-service-registry from build.gradle * Fixes for checkstlye * Fixed test for new updateOrder method * Added npm install and ng build to gradle build * Fixed Codacy complaints in tab.service.ts * Fixes for codacy bot and checkStyle * Fixes for checkStyleTest * Fixes for errors found by reviewers * Fixes for SamlServicesPanel * Fixed angular tests * Removed unused fields in form.ts Added angularTest task * Refactored Domain classes * Fixed Controller Unit Tests Fixed angular production build * Converted RegexRegisteredService * Converted Oauth, Oidc, SAML and WsFed * Used injectable Data object instead of @input attributes * Refactor string literals to Enums * Refactored and cleaned FormComponent * Changed form to use Material UI components * Cleaned up LogoutType errors Deleted Mappers * Added Metadata Expiration field to SamlClient * Moved Service Type to Basics screen Refacored OAuth,OIDC,SAML and WS Fed into their own tab * Mapping for RegisterdServiceView * Refactoring of Forms Clean up of Validation Set correct defaults for some values * Refactored Delete Modal to use MdDialog in separate template Refactored Services Screen to use Material UI * Background color * Mgmt issues * Merge branch 'master' of https://github.com/apereo/cas into mgmt-angular-json # Conflicts: # webapp-mgmt/cas-management-webapp-support/build.gradle * Merge branch 'master' of https://github.com/apereo/cas into mgmt-angular-json # Conflicts: # webapp-mgmt/cas-management-webapp-support/build.gradle * Fix for issue #3 - encryptUsername * Fix for issue #4 - enforce public key for credential and PGT release * Fix for issue #5 - Tab Labels * Fix for issue #6 - Change Service URL label and tooltip when SAML client is chosen * Updated Angular and Material libraries fixed issue #11 - Service property keys has been coded as an Autocomplete widget * fixed issue #7 - Changed OIDC Encryption options to be Autcomplete * Closes issue #12 - Pairwaise subjectId Fixes the width of text inputs * Closes issue #13 - Support Consent Policy * Closes issue #16 - Release Authentication Attributes Provides front-end for issue #14 - Surrogate Access strategy * Closes issue #18 - Add support for SAML skip options * Closes issue #19 - Add support for SAML2 EntityAttributes * Small refactor of <md-input-container> to <md-form-field> for latest Material update * Removal of Alert component in favor of Material Snackbar * Closes Issue #14 - Surrogate Access Strategy * Closes Issue #14 - Surrogate Access Strategy * Changed buid.gradle in mgmt-app so only ng build --prod runs for a build Fixed Test case * Closes issue #24 - Tymeleaf templates for form removed * Closes issue #21 - Saml Attribute Name Formats coded incorrectly * Closes issue #22 - Allows addition to Required Attributes under Access Strategy * Merge branch 'master' of https://github.com/apereo/cas into mgmt-angular-json # Conflicts: # api/cas-server-core-api-services/src/main/java/org/apereo/cas/services/LogoutType.java # core/cas-server-core-logout/src/main/java/org/apereo/cas/logout/DefaultSingleLogoutServiceMessageHandler.java # webapp-mgmt/cas-management-webapp-support/src/main/java/org/apereo/cas/mgmt/services/web/ManageRegisteredServicesMultiActionController.java # webapp-mgmt/cas-management-webapp-support/src/main/java/org/apereo/cas/mgmt/services/web/RegisteredServiceSimpleFormController.java # webapp-mgmt/cas-management-webapp-support/src/main/java/org/apereo/cas/mgmt/services/web/beans/FormData.java # webapp-mgmt/cas-management-webapp-support/src/main/java/org/apereo/cas/mgmt/services/web/factory/DefaultRegisteredServiceFactory.java # webapp-mgmt/cas-management-webapp-support/src/test/java/org/apereo/cas/services/web/ManageRegisteredServicesMultiActionControllerTests.java # webapp-mgmt/cas-management-webapp-support/src/test/java/org/apereo/cas/services/web/RegisteredServiceSimpleFormControllerTests.java # webapp-mgmt/cas-management-webapp/build.gradle # webapp-mgmt/cas-management-webapp/src/app/form/access-strategy/access-strategy.component.html # webapp-mgmt/cas-management-webapp/src/app/form/rejectedattributes/rejectedattributes.component.html # webapp-mgmt/cas-management-webapp/src/app/form/rejectedattributes/rejectedattributes.component.ts # webapp-mgmt/cas-management-webapp/src/app/form/samlclient/samlclient.component.html # webapp-mgmt/cas-management-webapp/src/app/form/samlservicespane/samlservicespane.component.html # webapp-mgmt/cas-management-webapp/src/app/form/samlservicespane/samlservicespane.component.ts # webapp-mgmt/cas-management-webapp/src/locale/messages.xlf
mmoayyed
added a commit
to mmoayyed/cas
that referenced
this pull request
May 15, 2020
mmoayyed
added a commit
to mmoayyed/cas
that referenced
this pull request
May 15, 2020
mmoayyed
added a commit
to mmoayyed/cas
that referenced
this pull request
May 15, 2020
mmoayyed
added a commit
to mmoayyed/cas
that referenced
this pull request
May 15, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Registered services with allowedToProxy=false in their registration are, with this change, no longer allowed to obtain proxy tickets even if they have been issued outstanding Proxy Granting Tickets. Without this change, a registered service continues to be able to obtain proxy tickets from its currently held proxy granting tickets even if its registration is updated to disallow its proxying.