Hi David, Thanks. I'm guessing that I would probably need a hybrid of the two since the AuthenticationHandler in this case will receive updated information that must resolve to a Principal. :-/
I'll try it out and see if I can cook something up that will do what we need here... Regards Stefan ________________________________________ From: Ohsie, David [[email protected]] Sent: Friday, July 12, 2013 8:39 PM To: [email protected] Subject: RE:[cas-dev] How to return updated principal to resolver when authenticator returns changed principal? Stefan, please take all this with a grain of a salt as others on the list are more expert than me. 1) The AuthenticationHandler interface (what is implemented by the class below) just offers the ability to authenticate based on the Credentials. It does not offer (directly) the ability to generate the Principal which is what you are wanting to do. For that, you need to implement a CredentialsToPrincipalResolver which is called by CAS after the authenticator succeeded. That interface has method called "resolvePrincipal" that takes the credentials object and returns the Principal. So the best solution is to do this in an CredentialsToPrincipleResolver that will be called by CAS after the authentication succeeds. If you can move the code that figures out the username to that phase, that would be the best solution. 2) I do see a possible hack which I would not advise you to use unless someone here confirms that it is OK. The UsernamePasswordCredentials object has a setUsername() method. You maybe could call that in your code to alter the Credentials object to include the desired username once the authentication has succeeded. Then the default org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipa lResolver" would get the principal from the username that you set in the credential object. If this works, I think that it is a hack, because I don't think that the authenticator is supposed to write to the Credentials object, but looking at the code, it might work. > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Friday, July 12, 2013 8:53 AM > To: [email protected] > Subject: RE:[cas-dev] How to return updated principal to resolver when > authenticator returns changed principal? > > Hi David, > > Thanks for that... For my case, I authenticate against a RADIUS source, and > RADIUS returns me some attributes of which one will contain the actual > principal to use. I know I can extend the JRadiusServerImpl class which will > have access to the RADIUS AccessAccept packet and its attributes (I've > experimented with that thus far and have got access to my attribute in > question). > > I'm still puzzled by how I get the value of the attribute back to the Credentials > object... do I update the UsernamePasswordCredentials object with that > attribute's value? At the moment I'm still fiddling with CAS v3.5.2, so the > interface of JRadiusServerImpl is still uses an instance of > UsernamePasswordCredentials in the authenticate() method. For v4.0.0, > would I update the "username" String object? > > An example: > > I try to access a Wiki which is protected by CAS. use '[email protected]' with > password 'moon' as the username and password in the login form. This goes > off to RADIUS. RADIUS returns, in the Access-Accept packet, an attribute > called 'Chargeable-User-Identity', which contains the name 'winuser5567'. > 'winuser5567' is the actual user that the Wiki should be using. > > Do I simply change my JRadiusServerImpl to say something like this in the > authenticate() method: > > public boolean authenticate( > final UsernamePasswordCredentials usernamePasswordCredentials) { > final RadiusClient radiusClient = getNewRadiusClient(); > > final AttributeList attributeList = new AttributeList(); > attributeList.add(new Attr_UserName(usernamePasswordCredentials > .getUsername())); > attributeList.add(new > Attr_UserPassword(usernamePasswordCredentials > .getPassword())); > > final AccessRequest request = new AccessRequest(radiusClient, > attributeList); > > try { > final RadiusPacket response = radiusClient.authenticate(request, > radiusAuthenticator, this.retries); > > // accepted > if (response instanceof AccessAccept) { > LOG.debug("Authentication request suceeded for host:" > + this.inetAddress.getCanonicalHostName() > + " and username " > + usernamePasswordCredentials.getUsername()); > LOG.info("RADIUS response contained: " + response.toString()); > try { > String returnedCUI = response.getAttributeValue("Chargeable- > User-Identity"); > usernamePasswordCredentials.setUsername(returnedCUI); > } catch (final UnknownAttributeException e) { > LOG.error("No Chargeable-User-Identity attribute received"); > } > return true; > } > > // rejected > LOG.debug("Authentication request failed for host:" > + this.inetAddress.getCanonicalHostName() + " and username " > + usernamePasswordCredentials.getUsername()); > return false; > } catch (final UnknownAttributeException e) { > throw new IllegalArgumentException( > "Passed an unknown attribute to RADIUS client: " > + e.getMessage()); > } catch (final RadiusException e) { > throw new IllegalStateException( > "Received response that puts RadiusClient into illegal state: " > + e.getMessage()); > } > } > > Or is there something more intricate involved? > > My apologies for possibly asking a very obvious question... The resolvers > seem to work off the Credentials objects, so... *puzzled* > > Regards > > Stefan > > > > -----Original Message----- > > From: Ohsie, David [mailto:[email protected]] > > Sent: 12 July 2013 13:10 > > To: [email protected] > > Subject: RE:[cas-dev] How to return updated principal to resolver when > > authenticator returns changed principal? > > > > I think that would be done in the CredentialsToPrincipalResolver which > > is called after the authentication: > > > > http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas > > - > > serve > > r- > > core/apidocs/org/jasig/cas/authentication/principal/CredentialsToPrinc > > i > > pal > > Resolver.html > > > > There is a call "resolvePrincipal" that takes the credentials object > > and returns the Principal. > > > > If all you are doing is returning a different "username" and adding no > > "attributes", then I think that you can derive your class from this > > one: > > http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas > > - > > serve > > r- > > core/apidocs/org/jasig/cas/authentication/principal/UsernamePasswordCr > > e > > den > > tialsToPrincipalResolver.html and override the method "protected > > java.lang.String extractPrincipalId(Credentials credentials)". > > > > David Ohsie > > Software Architect > > EMC Corporation > > > > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] > > > Sent: Friday, July 12, 2013 5:28 AM > > > To: [email protected] > > > Subject: [cas-dev] How to return updated principal to resolver when > > > authenticator returns changed principal? > > > > > > Hi, > > > > > > I'm working on a piece of infrastructure that might take a username > > and > > > password, and when authentication is successful, return an updated > > principal > > > to use. For example: Logging in with an email address and password > > may > > > return a username that is not necessarily the username before the @ > > in the > > > email address. > > > > > > How do I pass this updated principal back to the resolver/CAS to use > > instead > > > of the principal it assumed it should use (and here I'm guessing it > > assumes it'll > > > be the username before the @ in the email address)? > > > > > > Can someone help? > > > > > > Stefan Paetow > > > Software Engineer > > > +44 1235 778812 > > > Diamond Light Source Ltd. > > > Diamond House, Harwell Science and Innovation Campus Didcot, > > > Oxfordshire, OX11 0DE > > > > > > > > > > > > > > > -- > > > This e-mail and any attachments may contain confidential, copyright > > and or > > > privileged material, and are for the use of the intended addressee > > only. > > If > > > you are not the intended addressee or an authorised recipient of the > > > addressee please notify us of receipt by returning the e-mail and do > > not > > use, > > > copy, retain, distribute or disclose the information in or attached > > to the > > e- > > > mail. > > > Any opinions expressed within this e-mail are those of the > > > individual > > and > > not > > > necessarily of Diamond Light Source Ltd. > > > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > > > attachments are free from viruses and we cannot accept liability for > > any > > > damage which you may sustain as a result of software viruses which > > may be > > > transmitted in or with the message. > > > Diamond Light Source Limited (company no. 4375679). Registered in > > England > > > and Wales with its registered office at Diamond House, Harwell > > Science and > > > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > > > > > > > > > > > > > > -- > > > You are currently subscribed to [email protected] as: > > > [email protected] > > > To unsubscribe, change settings or access archives, see > > http://www.ja- > > > sig.org/wiki/display/JSG/cas-dev > > > > > > -- > This e-mail and any attachments may contain confidential, copyright and or > privileged material, and are for the use of the intended addressee only. If > you are not the intended addressee or an authorised recipient of the > addressee please notify us of receipt by returning the e-mail and do not use, > copy, retain, distribute or disclose the information in or attached to the e- > mail. > Any opinions expressed within this e-mail are those of the individual and not > necessarily of Diamond Light Source Ltd. > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > attachments are free from viruses and we cannot accept liability for any > damage which you may sustain as a result of software viruses which may be > transmitted in or with the message. > Diamond Light Source Limited (company no. 4375679). Registered in England > and Wales with its registered office at Diamond House, Harwell Science and > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-dev > -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
