The techniques on this page might be useful. Here attributes are taken from the servlet request and stashed away where they can be used later in a CredentialsToPrincipalResolver:
https://wiki.jasig.org/display/PDM15/Request+Header+Attribute+Source > -----Original Message----- > From: stefan.pae...@diamond.ac.uk > [mailto:stefan.pae...@diamond.ac.uk] > Sent: Friday, July 12, 2013 3:58 PM > To: cas-dev@lists.jasig.org > Subject: RE:[cas-dev] How to return updated principal to resolver when > authenticator returns changed principal? > > Hi David, > > Thanks. I'm guessing that I would probably need a hybrid of the two since the > AuthenticationHandler in this case will receive updated information that > must resolve to a Principal. :-/ > > I'll try it out and see if I can cook something up that will do what we need > here... > > Regards > > Stefan > > ________________________________________ > From: Ohsie, David [david.oh...@emc.com] > Sent: Friday, July 12, 2013 8:39 PM > To: cas-dev@lists.jasig.org > Subject: RE:[cas-dev] How to return updated principal to resolver when > authenticator returns changed principal? > > Stefan, please take all this with a grain of a salt as others on the list are more > expert than me. > > 1) The AuthenticationHandler interface (what is implemented by the class > below) just offers the ability to authenticate based on the Credentials. It > does not offer (directly) the ability to generate the Principal which is what > you are wanting to do. For that, you need to implement a > CredentialsToPrincipalResolver which is called by CAS after the authenticator > succeeded. That interface has method called "resolvePrincipal" that takes > the credentials object and returns the Principal. So the best solution is to do > this in an CredentialsToPrincipleResolver that will be called by CAS after the > authentication succeeds. If you can move the code that figures out the > username to that phase, that would be the best solution. > > 2) I do see a possible hack which I would not advise you to use unless > someone here confirms that it is OK. The UsernamePasswordCredentials > object has a setUsername() method. You maybe could call that in your code > to alter the Credentials object to include the desired username once the > authentication has succeeded. Then the default > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinci > pa > lResolver" would get the principal from the username that you set in the > credential object. If this works, I think that it is a hack, because I don't think > that the authenticator is supposed to write to the Credentials object, but > looking at the code, it might work. > > > > -----Original Message----- > > From: stefan.pae...@diamond.ac.uk > > [mailto:stefan.pae...@diamond.ac.uk] > > Sent: Friday, July 12, 2013 8:53 AM > > To: cas-dev@lists.jasig.org > > Subject: RE:[cas-dev] How to return updated principal to resolver when > > authenticator returns changed principal? > > > > Hi David, > > > > Thanks for that... For my case, I authenticate against a RADIUS > > source, > and > > RADIUS returns me some attributes of which one will contain the actual > > principal to use. I know I can extend the JRadiusServerImpl class > > which > will > > have access to the RADIUS AccessAccept packet and its attributes (I've > > experimented with that thus far and have got access to my attribute in > > question). > > > > I'm still puzzled by how I get the value of the attribute back to the > Credentials > > object... do I update the UsernamePasswordCredentials object with that > > attribute's value? At the moment I'm still fiddling with CAS v3.5.2, > > so > the > > interface of JRadiusServerImpl is still uses an instance of > > UsernamePasswordCredentials in the authenticate() method. For v4.0.0, > > would I update the "username" String object? > > > > An example: > > > > I try to access a Wiki which is protected by CAS. use 'b...@blah.org' > > with password 'moon' as the username and password in the login form. > > This goes off to RADIUS. RADIUS returns, in the Access-Accept packet, > > an attribute called 'Chargeable-User-Identity', which contains the name > 'winuser5567'. > > 'winuser5567' is the actual user that the Wiki should be using. > > > > Do I simply change my JRadiusServerImpl to say something like this in > > the > > authenticate() method: > > > > public boolean authenticate( > > final UsernamePasswordCredentials usernamePasswordCredentials) { > > final RadiusClient radiusClient = getNewRadiusClient(); > > > > final AttributeList attributeList = new AttributeList(); > > attributeList.add(new Attr_UserName(usernamePasswordCredentials > > .getUsername())); > > attributeList.add(new > > Attr_UserPassword(usernamePasswordCredentials > > .getPassword())); > > > > final AccessRequest request = new AccessRequest(radiusClient, > > attributeList); > > > > try { > > final RadiusPacket response = > radiusClient.authenticate(request, > > radiusAuthenticator, this.retries); > > > > // accepted > > if (response instanceof AccessAccept) { > > LOG.debug("Authentication request suceeded for host:" > > + this.inetAddress.getCanonicalHostName() > > + " and username " > > + usernamePasswordCredentials.getUsername()); > > LOG.info("RADIUS response contained: " + > response.toString()); > > try { > > String returnedCUI = > response.getAttributeValue("Chargeable- > > User-Identity"); > > usernamePasswordCredentials.setUsername(returnedCUI); > > } catch (final UnknownAttributeException e) { > > LOG.error("No Chargeable-User-Identity attribute > received"); > > } > > return true; > > } > > > > // rejected > > LOG.debug("Authentication request failed for host:" > > + this.inetAddress.getCanonicalHostName() + " and > > username > " > > + usernamePasswordCredentials.getUsername()); > > return false; > > } catch (final UnknownAttributeException e) { > > throw new IllegalArgumentException( > > "Passed an unknown attribute to RADIUS client: " > > + e.getMessage()); > > } catch (final RadiusException e) { > > throw new IllegalStateException( > > "Received response that puts RadiusClient into illegal > state: " > > + e.getMessage()); > > } > > } > > > > Or is there something more intricate involved? > > > > My apologies for possibly asking a very obvious question... The > > resolvers seem to work off the Credentials objects, so... *puzzled* > > > > Regards > > > > Stefan > > > > > > > -----Original Message----- > > > From: Ohsie, David [mailto:david.oh...@emc.com] > > > Sent: 12 July 2013 13:10 > > > To: cas-dev@lists.jasig.org > > > Subject: RE:[cas-dev] How to return updated principal to resolver > > > when authenticator returns changed principal? > > > > > > I think that would be done in the CredentialsToPrincipalResolver > > > which is called after the authentication: > > > > > > http://developer.jasig.org/projects/cas/cas-server-core/cas-server/c > > > as > > > - > > > serve > > > r- > > > core/apidocs/org/jasig/cas/authentication/principal/CredentialsToPri > > > nc > > > i > > > pal > > > Resolver.html > > > > > > There is a call "resolvePrincipal" that takes the credentials object > > > and returns the Principal. > > > > > > If all you are doing is returning a different "username" and adding > > > no "attributes", then I think that you can derive your class from > > > this > > > one: > > > http://developer.jasig.org/projects/cas/cas-server-core/cas-server/c > > > as > > > - > > > serve > > > r- > > > core/apidocs/org/jasig/cas/authentication/principal/UsernamePassword > > > Cr > > > e > > > den > > > tialsToPrincipalResolver.html and override the method "protected > > > java.lang.String extractPrincipalId(Credentials credentials)". > > > > > > David Ohsie > > > Software Architect > > > EMC Corporation > > > > > > > > > > > > > -----Original Message----- > > > > From: stefan.pae...@diamond.ac.uk > > > > [mailto:stefan.pae...@diamond.ac.uk] > > > > Sent: Friday, July 12, 2013 5:28 AM > > > > To: cas-dev@lists.jasig.org > > > > Subject: [cas-dev] How to return updated principal to resolver > > > > when authenticator returns changed principal? > > > > > > > > Hi, > > > > > > > > I'm working on a piece of infrastructure that might take a > > > > username > > > and > > > > password, and when authentication is successful, return an updated > > > principal > > > > to use. For example: Logging in with an email address and password > > > may > > > > return a username that is not necessarily the username before the > > > > @ > > > in the > > > > email address. > > > > > > > > How do I pass this updated principal back to the resolver/CAS to > > > > use > > > instead > > > > of the principal it assumed it should use (and here I'm guessing > > > > it > > > assumes it'll > > > > be the username before the @ in the email address)? > > > > > > > > Can someone help? > > > > > > > > Stefan Paetow > > > > Software Engineer > > > > +44 1235 778812 > > > > Diamond Light Source Ltd. > > > > Diamond House, Harwell Science and Innovation Campus Didcot, > > > > Oxfordshire, OX11 0DE > > > > > > > > > > > > > > > > > > > > -- > > > > This e-mail and any attachments may contain confidential, > > > > copyright > > > and or > > > > privileged material, and are for the use of the intended addressee > > > only. > > > If > > > > you are not the intended addressee or an authorised recipient of > > > > the addressee please notify us of receipt by returning the e-mail > > > > and do > > > not > > > use, > > > > copy, retain, distribute or disclose the information in or > > > > attached > > > to the > > > e- > > > > mail. > > > > Any opinions expressed within this e-mail are those of the > > > > individual > > > and > > > not > > > > necessarily of Diamond Light Source Ltd. > > > > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > > > > attachments are free from viruses and we cannot accept liability > > > > for > > > any > > > > damage which you may sustain as a result of software viruses which > > > may be > > > > transmitted in or with the message. > > > > Diamond Light Source Limited (company no. 4375679). Registered in > > > England > > > > and Wales with its registered office at Diamond House, Harwell > > > Science and > > > > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > You are currently subscribed to cas-dev@lists.jasig.org as: > > > > david.oh...@emc.com > > > > To unsubscribe, change settings or access archives, see > > > http://www.ja- > > > > sig.org/wiki/display/JSG/cas-dev > > > > > > > > > > -- > > This e-mail and any attachments may contain confidential, copyright > > and or privileged material, and are for the use of the intended addressee > only. > If > > you are not the intended addressee or an authorised recipient of the > > addressee please notify us of receipt by returning the e-mail and do > > not > use, > > copy, retain, distribute or disclose the information in or attached to > > the > e- > > mail. > > Any opinions expressed within this e-mail are those of the individual > > and > not > > necessarily of Diamond Light Source Ltd. > > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > > attachments are free from viruses and we cannot accept liability for > > any damage which you may sustain as a result of software viruses which > > may be transmitted in or with the message. > > Diamond Light Source Limited (company no. 4375679). Registered in > > England and Wales with its registered office at Diamond House, Harwell > > Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United > > Kingdom > > > > > > > > > > > > -- > > You are currently subscribed to cas-dev@lists.jasig.org as: > > david.oh...@emc.com > > To unsubscribe, change settings or access archives, see http://www.ja- > > sig.org/wiki/display/JSG/cas-dev > > > > > -- > This e-mail and any attachments may contain confidential, copyright and or > privileged material, and are for the use of the intended addressee only. If > you are not the intended addressee or an authorised recipient of the > addressee please notify us of receipt by returning the e-mail and do not use, > copy, retain, distribute or disclose the information in or attached to the e- > mail. > Any opinions expressed within this e-mail are those of the individual and not > necessarily of Diamond Light Source Ltd. > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > attachments are free from viruses and we cannot accept liability for any > damage which you may sustain as a result of software viruses which may be > transmitted in or with the message. > Diamond Light Source Limited (company no. 4375679). Registered in England > and Wales with its registered office at Diamond House, Harwell Science and > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > david.oh...@emc.com > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-dev >
smime.p7s
Description: S/MIME cryptographic signature
