Hi David, Thanks for that... For my case, I authenticate against a RADIUS source, and RADIUS returns me some attributes of which one will contain the actual principal to use. I know I can extend the JRadiusServerImpl class which will have access to the RADIUS AccessAccept packet and its attributes (I've experimented with that thus far and have got access to my attribute in question).
I'm still puzzled by how I get the value of the attribute back to the Credentials object... do I update the UsernamePasswordCredentials object with that attribute's value? At the moment I'm still fiddling with CAS v3.5.2, so the interface of JRadiusServerImpl is still uses an instance of UsernamePasswordCredentials in the authenticate() method. For v4.0.0, would I update the "username" String object? An example: I try to access a Wiki which is protected by CAS. use '[email protected]' with password 'moon' as the username and password in the login form. This goes off to RADIUS. RADIUS returns, in the Access-Accept packet, an attribute called 'Chargeable-User-Identity', which contains the name 'winuser5567'. 'winuser5567' is the actual user that the Wiki should be using. Do I simply change my JRadiusServerImpl to say something like this in the authenticate() method: public boolean authenticate( final UsernamePasswordCredentials usernamePasswordCredentials) { final RadiusClient radiusClient = getNewRadiusClient(); final AttributeList attributeList = new AttributeList(); attributeList.add(new Attr_UserName(usernamePasswordCredentials .getUsername())); attributeList.add(new Attr_UserPassword(usernamePasswordCredentials .getPassword())); final AccessRequest request = new AccessRequest(radiusClient, attributeList); try { final RadiusPacket response = radiusClient.authenticate(request, radiusAuthenticator, this.retries); // accepted if (response instanceof AccessAccept) { LOG.debug("Authentication request suceeded for host:" + this.inetAddress.getCanonicalHostName() + " and username " + usernamePasswordCredentials.getUsername()); LOG.info("RADIUS response contained: " + response.toString()); try { String returnedCUI = response.getAttributeValue("Chargeable-User-Identity"); usernamePasswordCredentials.setUsername(returnedCUI); } catch (final UnknownAttributeException e) { LOG.error("No Chargeable-User-Identity attribute received"); } return true; } // rejected LOG.debug("Authentication request failed for host:" + this.inetAddress.getCanonicalHostName() + " and username " + usernamePasswordCredentials.getUsername()); return false; } catch (final UnknownAttributeException e) { throw new IllegalArgumentException( "Passed an unknown attribute to RADIUS client: " + e.getMessage()); } catch (final RadiusException e) { throw new IllegalStateException( "Received response that puts RadiusClient into illegal state: " + e.getMessage()); } } Or is there something more intricate involved? My apologies for possibly asking a very obvious question... The resolvers seem to work off the Credentials objects, so... *puzzled* Regards Stefan > -----Original Message----- > From: Ohsie, David [mailto:[email protected]] > Sent: 12 July 2013 13:10 > To: [email protected] > Subject: RE:[cas-dev] How to return updated principal to resolver when > authenticator returns changed principal? > > I think that would be done in the CredentialsToPrincipalResolver which > is > called after the authentication: > > http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas- > serve > r- > core/apidocs/org/jasig/cas/authentication/principal/CredentialsToPrinci > pal > Resolver.html > > There is a call "resolvePrincipal" that takes the credentials object > and > returns the Principal. > > If all you are doing is returning a different "username" and adding no > "attributes", then I think that you can derive your class from this > one: > http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas- > serve > r- > core/apidocs/org/jasig/cas/authentication/principal/UsernamePasswordCre > den > tialsToPrincipalResolver.html and override the method "protected > java.lang.String extractPrincipalId(Credentials credentials)". > > David Ohsie > Software Architect > EMC Corporation > > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] > > Sent: Friday, July 12, 2013 5:28 AM > > To: [email protected] > > Subject: [cas-dev] How to return updated principal to resolver when > > authenticator returns changed principal? > > > > Hi, > > > > I'm working on a piece of infrastructure that might take a username > and > > password, and when authentication is successful, return an updated > principal > > to use. For example: Logging in with an email address and password > may > > return a username that is not necessarily the username before the @ > in the > > email address. > > > > How do I pass this updated principal back to the resolver/CAS to use > instead > > of the principal it assumed it should use (and here I'm guessing it > assumes it'll > > be the username before the @ in the email address)? > > > > Can someone help? > > > > Stefan Paetow > > Software Engineer > > +44 1235 778812 > > Diamond Light Source Ltd. > > Diamond House, Harwell Science and Innovation Campus Didcot, > > Oxfordshire, OX11 0DE > > > > > > > > > > -- > > This e-mail and any attachments may contain confidential, copyright > and or > > privileged material, and are for the use of the intended addressee > only. > If > > you are not the intended addressee or an authorised recipient of the > > addressee please notify us of receipt by returning the e-mail and do > not > use, > > copy, retain, distribute or disclose the information in or attached > to the > e- > > mail. > > Any opinions expressed within this e-mail are those of the individual > and > not > > necessarily of Diamond Light Source Ltd. > > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > > attachments are free from viruses and we cannot accept liability for > any > > damage which you may sustain as a result of software viruses which > may be > > transmitted in or with the message. > > Diamond Light Source Limited (company no. 4375679). Registered in > England > > and Wales with its registered office at Diamond House, Harwell > Science and > > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > > > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja- > > sig.org/wiki/display/JSG/cas-dev > > -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
