Without the use of a client library. On Wed, Jan 6, 2016 at 5:11 PM, John Bruestle <[email protected]> wrote:
> I'm calling : /serviceValidate > > On Wed, Jan 6, 2016 at 4:46 PM, Dmitriy Kopylenko <[email protected]> > wrote: > >> Are you manually calling CAS server validation endpoint or using CAS >> client library? In other words - how do you get that validation XML >> response that you are showing? >> >> Few pointers - for validation, CAS4 has 4 (I believe off the top of my >> head): >> >> 1) Legacy: /validate >> 2) CAS2 protocol: /serviceValidate >> 3) CAS3 protocol: /p3/serviceValidate >> 4) SAML: /samlValidate >> >> there are also proxy validation stuff, but let's skip that for this >> conversation. >> >> Attributes in validation response are only supported by SAML and p3 >> endpoints. I think you'd need to make sure you configure your CAS client >> library to use that. And I only know of the latest CAS Java client supports >> p3 validation, but have no idea of any other client libraries updated to >> support that. >> >> Hope that gives you a few more pointers. >> >> Best, >> Dmitriy. >> >> >> >> Sent from my iPhone >> >> On Jan 6, 2016, at 16:34, John Bruestle <[email protected]> wrote: >> >> Thanks. I updated the Authentication Manager configuration to read: >> >> <entry key-ref="primaryAuthenticationHandler" value="#{null}" /> >> >> >> I am not sure how I how or where I would "ensure you are pointing to the >> correct endpoint for attributes, whether that is SAML or CAS", so I'm not >> sure about that >> >> My Authentication Handler is setting attributes using: >> >> >> final Map<String, Object> attributes = new HashMap<>(); >> attributes.put("abc", "123"); >> attributes.put("def", "456"); >> return createHandlerResult(credential, >> this.principalFactory.createPrincipal(username), null); >> >> >> But I am still getting the username in my Validation Response: >> >> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> >> <cas:authenticationSuccess> >> <cas:user>john</cas:user> >> </cas:authenticationSuccess> >> </cas:serviceResponse> >> >> >> Here is my service definiteion: >> >> { >> "@class" : "org.jasig.cas.services.RegexRegisteredService", >> "serviceId" : "^http://localhost/bonfire/cas/.*";, >> "name" : "Bonfire Development", >> "id" : 10000017, >> "description" : "Bonfire Development CAS Single Sign-On 2", >> "proxyPolicy" : { >> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" >> }, >> "evaluationOrder" : 0, >> "usernameAttributeProvider" : { >> "@class" : >> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> "usernameAttribute" : "def" >> }, >> "attributeReleasePolicy" : { >> "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" >> }, >> "logoutType" : "BACK_CHANNEL" >> >> >> >> Here is my entire deployerConfigContext.xml; >> >> >> <?xml version="1.0" encoding="UTF-8"?> >> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:p="http://www.springframework.org/schema/p"; >> xmlns:c="http://www.springframework.org/schema/c"; >> xmlns:tx="http://www.springframework.org/schema/tx"; >> xmlns:util="http://www.springframework.org/schema/util"; >> xmlns:sec="http://www.springframework.org/schema/security"; >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans.xsd >> http://www.springframework.org/schema/tx >> http://www.springframework.org/schema/tx/spring-tx.xsd >> http://www.springframework.org/schema/security >> http://www.springframework.org/schema/security/spring-security.xsd >> http://www.springframework.org/schema/util >> http://www.springframework.org/schema/util/spring-util.xsd";> >> >> <bean id="authenticationManager" >> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> >> <constructor-arg> >> <map> >> <entry key-ref="proxyAuthenticationHandler" >> value-ref="proxyPrincipalResolver" /> >> <entry key-ref="primaryAuthenticationHandler" >> value="#{null}" /> >> </map> >> </constructor-arg> >> >> <property name="authenticationPolicy"> >> <bean >> class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> >> </property> >> </bean> >> >> <!-- Required for proxy ticket mechanism. --> >> <bean id="proxyAuthenticationHandler" >> >> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" >> p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" >> /> >> >> <bean id="dataSource" >> class="org.springframework.jdbc.datasource.DriverManagerDataSource"> >> <property name="driverClassName" >> value="net.sourceforge.jtds.jdbc.Driver"/> >> <property name="url" >> value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/> >> <property name="username" value="xxxxx"/> >> <property name="password" value="xxxxxxxxxxxx"/> >> </bean> >> >> <bean id="primaryAuthenticationHandler" >> class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler" >> p:dataSource-ref="dataSource" >> p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?" >> /> >> <!-- Required for proxy ticket mechanism --> >> <bean id="proxyPrincipalResolver" >> >> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> >> >> <bean id="primaryPrincipalResolver" >> >> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >> p:principalFactory-ref="principalFactory" /> >> <bean id="serviceRegistryDao" >> class="org.jasig.cas.services.JsonServiceRegistryDao" >> >> c:configDirectory="${service.registry.config.location:classpath:services}" >> /> >> >> <bean id="auditTrailManager" >> class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> >> >> <bean id="healthCheckMonitor" >> class="org.jasig.cas.monitor.HealthCheckMonitor" >> p:monitors-ref="monitorsList" /> >> >> <util:list id="monitorsList"> >> <bean class="org.jasig.cas.monitor.MemoryMonitor" >> p:freeMemoryWarnThreshold="10" /> >> <bean class="org.jasig.cas.monitor.SessionMonitor" >> p:ticketRegistry-ref="ticketRegistry" >> p:serviceTicketCountWarnThreshold="5000" >> p:sessionCountWarnThreshold="100000" /> >> </util:list> >> </beans> >> >> >> >> On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <[email protected]> >> wrote: >> >>> You do not need to define an attribute repository at all. Your attribute >>> repository *is* your handler, since it’s acting as a repository of user >>> attributes for you. (It is possible to merge the attributes your handler >>> returns and the attributes of a separate repository, but I don’t think you >>> want that in this case) >>> >>> >>> >>> So, you need to ensure: >>> >>> >>> >>> 1. Your attribute repository is nulled out, and its associated >>> resolver is nulled out. See >>> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >>> >>> 2. You need to ensure you are pointing to the correct endpoint >>> for attributes, whether that is SAML or CAS. >>> >>> >>> >>> If none of that works, change your log levels for org.jasig.cas to DEBUG >>> and that should tell you the full story. >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John >>> Bruestle >>> *Sent:* Wednesday, January 6, 2016 12:14 PM >>> *To:* Misagh Moayyed <[email protected]> >>> *Cc:* CAS Community <[email protected]> >>> >>> *Subject:* Re: [cas-user] Returning userid in Validation Response >>> >>> >>> >>> I wasn't erally expecting to change the username provided, although that >>> would be OK. I was just expecting to add an other data item to what the >>> validation response returnd. >>> >>> >>> >>> Anyway, I tried changing to: >>> >>> >>> >>> "usernameAttributeProvider" : { >>> >>> "@class" : >>> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >>> >>> "usernameAttribute" : "def" >>> >>> }, >>> >>> "attributeReleasePolicy" : { >>> >>> "@class" : >>> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", >>> >>> "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" >>> ] ] >>> >>> }, >>> >>> >>> >>> And I am still not seeing the test "def" attribute I created in my >>> Authentication Handler by going: >>> >>> >>> >>> final Map<String, Object> attributes = new >>> HashMap<>(); >>> >>> attributes.put("abc", "123"); >>> >>> attributes.put("def", "456"); >>> >>> >>> >>> I do wonder if I am suppose to be defining a different attribute >>> repository. Right now my deployerConfigContext.xml contains: >>> >>> >>> >>> <bean id="attributeRepository" >>> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" >>> >>> p:backingMap-ref="attrRepoBackingMap" /> >>> >>> >>> >>> <util:map id="attrRepoBackingMap"> >>> >>> <entry key="uid" value="uid" /> >>> >>> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> >>> >>> <entry key="groupMembership" value="groupMembership" /> >>> >>> <entry> >>> >>> <key><value>memberOf</value></key> >>> >>> <list> >>> >>> <value>faculty</value> >>> >>> <value>staff</value> >>> >>> <value>org</value> >>> >>> </list> >>> >>> </entry> >>> >>> </util:map> >>> >>> >>> >>> >>> >>> >>> >>> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <[email protected]> >>> wrote: >>> >>> Because you told your service to use the default CAS behavior when >>> returning usernames, via: "@class" : >>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >>> >>> You never told it which attribute should be used as the username. It >>> cannot know that without your direct instructions. >>> >>> >>> >>> If you go back to the original link I sent you, that should help >>> describe what options are available for providing usernames for registered >>> services. Pick the one that works on an attribute. >>> >>> >>> >>> *From:* John Bruestle [mailto:[email protected]] >>> *Sent:* Tuesday, January 5, 2016 3:19 PM >>> *To:* CAS Community <[email protected]> >>> *Cc:* [email protected] >>> >>> *Subject:* Re: [cas-user] Returning userid in Validation Response >>> >>> >>> >>> Thank you for your help. I think I am getting closer: >>> >>> >>> >>> As a test, I changed the bottom of my AuthenticationHandler to: >>> >>> >>> >>> final Map<String, Object> attributes = new >>> HashMap<>(); >>> >>> attributes.put("abc", "123"); >>> >>> attributes.put("def", "456"); >>> >>> >>> >>> return createHandlerResult(credential, >>> this.principalFactory.createPrincipal(username,attributes), null) >>> >>> >>> >>> And I updated the service definition to: >>> >>> >>> >>> { >>> >>> "@class" : "org.jasig.cas.services.RegexRegisteredService", >>> >>> "serviceId" : "^http://localhost/bonfire/cas/.*";, >>> >>> "name" : "Bonfire Development", >>> >>> "id" : 10000017, >>> >>> "description" : "Bonfire Development CAS Single Sign-On", >>> >>> "proxyPolicy" : { >>> >>> "@class" : >>> "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" >>> >>> }, >>> >>> "evaluationOrder" : 0, >>> >>> "usernameAttributeProvider" : { >>> >>> "@class" : >>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >>> >>> }, >>> >>> "logoutType" : "BACK_CHANNEL", >>> >>> "attributeReleasePolicy" : { >>> >>> "@class" : "org.jasig.cas.services.*ReturnAllAttributeReleasePolic* >>> y" >>> >>> }, >>> >>> "accessStrategy" : { >>> >>> "@class" : >>> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", >>> >>> "enabled" : true, >>> >>> "ssoEnabled" : true >>> >>> } >>> >>> } >>> >>> >>> >>> Only problem is that I am still just seeing only the the "user" >>> attribute in the validation response. Is there something more I need to >>> configure? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote: >>> >>> Since you are on 4.1, your authentication handler is able to create the >>> principal with all the attributes it needs. So, as long as your handler is >>> stuffing that attribute into the final Principal that is created, you >>> should be able to dictate to a service that the attribute should be used in >>> the final response. >>> >>> >>> >>> See this as an example of how LDAP AuthN adds attributes: >>> >>> >>> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196 >>> >>> >>> >>> Have yours do the same. You simply need to decide what the attribute >>> name should be, and stuff it into a map that the principal carries for >>> attributes. >>> >>> >>> >>> This is also relevant: >>> >>> >>> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected] >>> <[email protected]>] *On Behalf Of *John Bruestle >>> *Sent:* Tuesday, January 5, 2016 11:11 AM >>> *To:* CAS Community <[email protected]> >>> *Cc:* [email protected] >>> *Subject:* Re: [cas-user] Returning userid in Validation Response >>> >>> >>> >>> Thanks. Yes, that tells me how to configure the response so it will >>> show the specific attributes I want, but it doesn't tell me how to create >>> the attributes. In my case, I'm getting a userid returned by the store >>> procedure I'm calling in my AuthenticationHandler, when authenticating. >>> I'd like to add code there, at the point that I know the userid, to store >>> (resolve?) it as an attribute. How do I do that? >>> >>> >>> >>> >>> >>> On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote: >>> >>> See if this helps: >>> >>> https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html >>> >>> >>> >>> Section “Principal-Id Attribute”. >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected] >>> <[email protected]>] *On Behalf Of *John Bruestle >>> *Sent:* Tuesday, January 5, 2016 9:02 AM >>> *To:* CAS Community <[email protected]> >>> *Subject:* [cas-user] Returning userid in Validation Response >>> >>> >>> >>> My system's usernames used for logins are not the same as the unique >>> userid's used by the database. In fact, usernames aren't necessarily >>> unique and sometimes require the password to determine the specific >>> userid. I need my validation response to return the userid. >>> >>> >>> >>> I already have a custom AuthenticationHandler, which implements >>> AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly >>> authenticating using a MSSQL stored procedure. One of the byproducts of >>> calling the procedure is the userid, so that in the AuthenticationHandler >>> we do know what the userid is. >>> >>> >>> >>> From my reading, it seems that there may be a way to store the userid >>> away as an attribute, which could later be used as part of the validation >>> response. I'm stuck however trying to figure out how to do this. I would >>> appreciate some pointers, especially if they came with the specific XML >>> files I need to modify and the functions I should call from within my >>> AuthenticationHandler to store the attribute. >>> >>> >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> >>> >>> >>> >>> >>> -- >>> >>> John Bruestle >>> [email protected] >>> (609) 737-7250 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> >> >> >> >> -- >> John Bruestle >> [email protected] >> (609) 737-7250 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> >> > > > -- > John Bruestle > [email protected] > (609) 737-7250 > > -- John Bruestle [email protected] (609) 737-7250 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
