Thanks. I updated the Authentication Manager configuration to read:
<entry key-ref="primaryAuthenticationHandler" value="#{null}" />
I am not sure how I how or where I would "ensure you are pointing to the
correct endpoint for attributes, whether that is SAML or CAS", so I'm not
sure about that
My Authentication Handler is setting attributes using:
final Map<String, Object> attributes = new HashMap<>();
attributes.put("abc", "123");
attributes.put("def", "456");
return createHandlerResult(credential,
this.principalFactory.createPrincipal(username), null);
But I am still getting the username in my Validation Response:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";>
<cas:authenticationSuccess>
<cas:user>john</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
Here is my service definiteion:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^http://localhost/bonfire/cas/.*";,
"name" : "Bonfire Development",
"id" : 10000017,
"description" : "Bonfire Development CAS Single Sign-On 2",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"evaluationOrder" : 0,
"usernameAttributeProvider" : {
"@class" :
"org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "def"
},
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy"
},
"logoutType" : "BACK_CHANNEL"
Here is my entire deployerConfigContext.xml;
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:c="http://www.springframework.org/schema/c";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler"
value="#{null}" />
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean
class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
</property>
</bean>
<!-- Required for proxy ticket mechanism. -->
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" />
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="net.sourceforge.jtds.jdbc.Driver"/>
<property name="url"
value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/>
<property name="username" value="xxxxx"/>
<property name="password" value="xxxxxxxxxxxx"/>
</bean>
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler"
p:dataSource-ref="dataSource"
p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?"
/>
<!-- Required for proxy ticket mechanism -->
<bean id="proxyPrincipalResolver"
class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
<bean id="primaryPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
p:principalFactory-ref="principalFactory" />
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.JsonServiceRegistryDao"
c:configDirectory="${service.registry.config.location:classpath:services}"
/>
<bean id="auditTrailManager"
class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<bean id="healthCheckMonitor"
class="org.jasig.cas.monitor.HealthCheckMonitor"
p:monitors-ref="monitorsList" />
<util:list id="monitorsList">
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</util:list>
</beans>
On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <mmoay...@unicon.net> wrote:
> You do not need to define an attribute repository at all. Your attribute
> repository *is* your handler, since it’s acting as a repository of user
> attributes for you. (It is possible to merge the attributes your handler
> returns and the attributes of a separate repository, but I don’t think you
> want that in this case)
>
>
>
> So, you need to ensure:
>
>
>
> 1. Your attribute repository is nulled out, and its associated
> resolver is nulled out. See
> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
>
> 2. You need to ensure you are pointing to the correct endpoint for
> attributes, whether that is SAML or CAS.
>
>
>
> If none of that works, change your log levels for org.jasig.cas to DEBUG
> and that should tell you the full story.
>
>
>
> *From:* brues...@gmail.com [mailto:brues...@gmail.com] *On Behalf Of *John
> Bruestle
> *Sent:* Wednesday, January 6, 2016 12:14 PM
> *To:* Misagh Moayyed <mmoay...@unicon.net>
> *Cc:* CAS Community <cas-user@apereo.org>
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> I wasn't erally expecting to change the username provided, although that
> would be OK. I was just expecting to add an other data item to what the
> validation response returnd.
>
>
>
> Anyway, I tried changing to:
>
>
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "def"
>
> },
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" ] ]
>
> },
>
>
>
> And I am still not seeing the test "def" attribute I created in my
> Authentication Handler by going:
>
>
>
> final Map<String, Object> attributes = new
> HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
>
>
> I do wonder if I am suppose to be defining a different attribute
> repository. Right now my deployerConfigContext.xml contains:
>
>
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
>
> p:backingMap-ref="attrRepoBackingMap" />
>
>
>
> <util:map id="attrRepoBackingMap">
>
> <entry key="uid" value="uid" />
>
> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
>
> <entry key="groupMembership" value="groupMembership" />
>
> <entry>
>
> <key><value>memberOf</value></key>
>
> <list>
>
> <value>faculty</value>
>
> <value>staff</value>
>
> <value>org</value>
>
> </list>
>
> </entry>
>
> </util:map>
>
>
>
>
>
>
>
> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <mmoay...@unicon.net>
> wrote:
>
> Because you told your service to use the default CAS behavior when
> returning usernames, via: "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
> You never told it which attribute should be used as the username. It
> cannot know that without your direct instructions.
>
>
>
> If you go back to the original link I sent you, that should help describe
> what options are available for providing usernames for registered services.
> Pick the one that works on an attribute.
>
>
>
> *From:* John Bruestle [mailto:brues...@gmail.com]
> *Sent:* Tuesday, January 5, 2016 3:19 PM
> *To:* CAS Community <cas-user@apereo.org>
> *Cc:* mmoay...@unicon.net
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Thank you for your help. I think I am getting closer:
>
>
>
> As a test, I changed the bottom of my AuthenticationHandler to:
>
>
>
> final Map<String, Object> attributes = new
> HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
>
>
> return createHandlerResult(credential,
> this.principalFactory.createPrincipal(username,attributes), null)
>
>
>
> And I updated the service definition to:
>
>
>
> {
>
> "@class" : "org.jasig.cas.services.RegexRegisteredService",
>
> "serviceId" : "^http://localhost/bonfire/cas/.*";,
>
> "name" : "Bonfire Development",
>
> "id" : 10000017,
>
> "description" : "Bonfire Development CAS Single Sign-On",
>
> "proxyPolicy" : {
>
> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
>
> },
>
> "evaluationOrder" : 0,
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
> },
>
> "logoutType" : "BACK_CHANNEL",
>
> "attributeReleasePolicy" : {
>
> "@class" : "org.jasig.cas.services.*ReturnAllAttributeReleasePolic*y"
>
> },
>
> "accessStrategy" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "ssoEnabled" : true
>
> }
>
> }
>
>
>
> Only problem is that I am still just seeing only the the "user" attribute
> in the validation response. Is there something more I need to configure?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote:
>
> Since you are on 4.1, your authentication handler is able to create the
> principal with all the attributes it needs. So, as long as your handler is
> stuffing that attribute into the final Principal that is created, you
> should be able to dictate to a service that the attribute should be used in
> the final response.
>
>
>
> See this as an example of how LDAP AuthN adds attributes:
>
>
> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196
>
>
>
> Have yours do the same. You simply need to decide what the attribute name
> should be, and stuff it into a map that the principal carries for
> attributes.
>
>
>
> This is also relevant:
>
>
> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
>
>
>
> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org <cas-...@apereo.org>]
> *On Behalf Of *John Bruestle
> *Sent:* Tuesday, January 5, 2016 11:11 AM
> *To:* CAS Community <cas-...@apereo.org>
> *Cc:* mmoa...@unicon.net
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Thanks. Yes, that tells me how to configure the response so it will show
> the specific attributes I want, but it doesn't tell me how to create the
> attributes. In my case, I'm getting a userid returned by the store
> procedure I'm calling in my AuthenticationHandler, when authenticating.
> I'd like to add code there, at the point that I know the userid, to store
> (resolve?) it as an attribute. How do I do that?
>
>
>
>
>
> On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote:
>
> See if this helps:
>
> https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html
>
>
>
> Section “Principal-Id Attribute”.
>
>
>
> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org <cas-...@apereo.org>]
> *On Behalf Of *John Bruestle
> *Sent:* Tuesday, January 5, 2016 9:02 AM
> *To:* CAS Community <cas-...@apereo.org>
> *Subject:* [cas-user] Returning userid in Validation Response
>
>
>
> My system's usernames used for logins are not the same as the unique
> userid's used by the database. In fact, usernames aren't necessarily
> unique and sometimes require the password to determine the specific
> userid. I need my validation response to return the userid.
>
>
>
> I already have a custom AuthenticationHandler, which implements
> AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly
> authenticating using a MSSQL stored procedure. One of the byproducts of
> calling the procedure is the userid, so that in the AuthenticationHandler
> we do know what the userid is.
>
>
>
> From my reading, it seems that there may be a way to store the userid away
> as an attribute, which could later be used as part of the validation
> response. I'm stuck however trying to figure out how to do this. I would
> appreciate some pointers, especially if they came with the specific XML
> files I need to modify and the functions I should call from within my
> AuthenticationHandler to store the attribute.
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
>
>
>
>
> --
>
> John Bruestle
> j...@retechnologies.com
> (609) 737-7250
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
--
John Bruestle
j...@retechnologies.com
(609) 737-7250
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
