This is DefaultRegisteredServiceAccessStrategy
that allows the following rules:
A service may be disallowed to use CAS for authentication
A service may be disallowed to take part in CAS single sign-on such that
presentation of credentials would always be required.
A service may be prohibited from receiving a service ticket
if the existing principal attributes don't contain the required attributes
that otherwise grant access to the service.