Hi, Thanks for your feedback. Tests are really necessary on these behaviours to avoid breaking things. I opened JIRA CAS-1362 : I will fix it as soon as possible. CAS-1348 might be related also. Thanks. Best, Jérôme
2013/9/25 Marvin Addison <[email protected]> > > I did some debugging here : > > > https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/CentralAuthenticationServiceImpl.java#L451 > . > > At that point, the modifiedPrincipal is good (anonymous identifier and no > > attributes) but the first principal of the chained authentications is > with a > > real identifier and all attributes. > > We probably need both a canonical principal name, which could simply > be that resolved by the PrinicpalResolver, and the set of > authentications as seen by clients. I believe the intent is for > chained authentications to reflect the latter, but I'm uncertain we > have a slot for the former. > *I keep that in mind : I'll dive into the code to be sure of my understanding...* > > Is this the expected behaviour ? To keep the "real" principal in the > chained > > authentications of the TGT ? > > I don't think so. We should record the view of data sent to the > clients in the chained authentications. > *My idea also.* > > Shouldn't we use the primary authentication here ? > > We should use whatever provides the data that would be expected by the > service manager, namely anonymized principal and no attributes. That > should have been computed and stored upstream, no? > *It's already properly computed in the primary principal but the principal stored in the chained authentications is the raw one.* > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
