Hi, I've done more testing on CAS server 4.0.0-RC2 and get a strange behaviour. I hope I'm mistaken.
I wanted to test the /serviceValidate response : so I set a service with anonymousAccess = true and ignoreAttributes = false. I was expected to get a response with an anonymous identifier and no attributes but I get a real identifier and all attributes. I did some debugging here : https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/CentralAuthenticationServiceImpl.java#L451 . At that point, the *modifiedPrincipal* is good (anonymous identifier and no attributes) but the first principal of the chained authentications is with a real identifier and all attributes. Is this the expected behaviour ? To keep the "real" principal in the chained authentications of the TGT ? The problem is that the successful JSP : https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/3.0/casServiceValidationSuccess.jsp#L39 uses this principal of the last chained authentication instead of the primary principal (in the Assertion : https://github.com/Jasig/cas/blob/master/cas-server-webapp-support/src/main/java/org/jasig/cas/web/ServiceValidateController.java#L146) to return the attributes. Shouldn't we use the primary authentication here ? By the way, I used an attribute name with a French accent and it doesn't work as the attribute name is output directly in the XML response : <cas:prénom>... Do we assume that it should never happen ? Or clean attribute names ? Thanks for your help. Best regards, Jérôme -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
