I do get more back when I call p3/serviceValidate, but cas:user still has the username in it.
On Wed, Jan 6, 2016 at 5:12 PM, John Bruestle <[email protected]> wrote: > Without the use of a client library. > > On Wed, Jan 6, 2016 at 5:11 PM, John Bruestle <[email protected]> > wrote: > >> I'm calling : /serviceValidate >> >> On Wed, Jan 6, 2016 at 4:46 PM, Dmitriy Kopylenko <[email protected]> >> wrote: >> >>> Are you manually calling CAS server validation endpoint or using CAS >>> client library? In other words - how do you get that validation XML >>> response that you are showing? >>> >>> Few pointers - for validation, CAS4 has 4 (I believe off the top of my >>> head): >>> >>> 1) Legacy: /validate >>> 2) CAS2 protocol: /serviceValidate >>> 3) CAS3 protocol: /p3/serviceValidate >>> 4) SAML: /samlValidate >>> >>> there are also proxy validation stuff, but let's skip that for this >>> conversation. >>> >>> Attributes in validation response are only supported by SAML and p3 >>> endpoints. I think you'd need to make sure you configure your CAS client >>> library to use that. And I only know of the latest CAS Java client supports >>> p3 validation, but have no idea of any other client libraries updated to >>> support that. >>> >>> Hope that gives you a few more pointers. >>> >>> Best, >>> Dmitriy. >>> >>> >>> >>> Sent from my iPhone >>> >>> On Jan 6, 2016, at 16:34, John Bruestle <[email protected]> wrote: >>> >>> Thanks. I updated the Authentication Manager configuration to read: >>> >>> <entry key-ref="primaryAuthenticationHandler" value="#{null}" /> >>> >>> >>> I am not sure how I how or where I would "ensure you are pointing to >>> the correct endpoint for attributes, whether that is SAML or CAS", so I'm >>> not sure about that >>> >>> My Authentication Handler is setting attributes using: >>> >>> >>> final Map<String, Object> attributes = new HashMap<>(); >>> attributes.put("abc", "123"); >>> attributes.put("def", "456"); >>> return createHandlerResult(credential, >>> this.principalFactory.createPrincipal(username), null); >>> >>> >>> But I am still getting the username in my Validation Response: >>> >>> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> >>> <cas:authenticationSuccess> >>> <cas:user>john</cas:user> >>> </cas:authenticationSuccess> >>> </cas:serviceResponse> >>> >>> >>> Here is my service definiteion: >>> >>> { >>> "@class" : "org.jasig.cas.services.RegexRegisteredService", >>> "serviceId" : "^http://localhost/bonfire/cas/.*";, >>> "name" : "Bonfire Development", >>> "id" : 10000017, >>> "description" : "Bonfire Development CAS Single Sign-On 2", >>> "proxyPolicy" : { >>> "@class" : >>> "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" >>> }, >>> "evaluationOrder" : 0, >>> "usernameAttributeProvider" : { >>> "@class" : >>> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >>> "usernameAttribute" : "def" >>> }, >>> "attributeReleasePolicy" : { >>> "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" >>> }, >>> "logoutType" : "BACK_CHANNEL" >>> >>> >>> >>> Here is my entire deployerConfigContext.xml; >>> >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> >>> <beans xmlns="http://www.springframework.org/schema/beans"; >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>> xmlns:p="http://www.springframework.org/schema/p"; >>> xmlns:c="http://www.springframework.org/schema/c"; >>> xmlns:tx="http://www.springframework.org/schema/tx"; >>> xmlns:util="http://www.springframework.org/schema/util"; >>> xmlns:sec="http://www.springframework.org/schema/security"; >>> xsi:schemaLocation="http://www.springframework.org/schema/beans >>> http://www.springframework.org/schema/beans/spring-beans.xsd >>> http://www.springframework.org/schema/tx >>> http://www.springframework.org/schema/tx/spring-tx.xsd >>> http://www.springframework.org/schema/security >>> http://www.springframework.org/schema/security/spring-security.xsd >>> http://www.springframework.org/schema/util >>> http://www.springframework.org/schema/util/spring-util.xsd";> >>> >>> <bean id="authenticationManager" >>> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> >>> <constructor-arg> >>> <map> >>> <entry key-ref="proxyAuthenticationHandler" >>> value-ref="proxyPrincipalResolver" /> >>> <entry key-ref="primaryAuthenticationHandler" >>> value="#{null}" /> >>> </map> >>> </constructor-arg> >>> >>> <property name="authenticationPolicy"> >>> <bean >>> class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> >>> </property> >>> </bean> >>> >>> <!-- Required for proxy ticket mechanism. --> >>> <bean id="proxyAuthenticationHandler" >>> >>> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" >>> >>> p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" /> >>> >>> <bean id="dataSource" >>> class="org.springframework.jdbc.datasource.DriverManagerDataSource"> >>> <property name="driverClassName" >>> value="net.sourceforge.jtds.jdbc.Driver"/> >>> <property name="url" >>> value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/> >>> <property name="username" value="xxxxx"/> >>> <property name="password" value="xxxxxxxxxxxx"/> >>> </bean> >>> >>> <bean id="primaryAuthenticationHandler" >>> class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler" >>> p:dataSource-ref="dataSource" >>> p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?" >>> /> >>> <!-- Required for proxy ticket mechanism --> >>> <bean id="proxyPrincipalResolver" >>> >>> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> >>> >>> <bean id="primaryPrincipalResolver" >>> >>> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >>> p:principalFactory-ref="principalFactory" /> >>> <bean id="serviceRegistryDao" >>> class="org.jasig.cas.services.JsonServiceRegistryDao" >>> >>> c:configDirectory="${service.registry.config.location:classpath:services}" >>> /> >>> >>> <bean id="auditTrailManager" >>> class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> >>> >>> <bean id="healthCheckMonitor" >>> class="org.jasig.cas.monitor.HealthCheckMonitor" >>> p:monitors-ref="monitorsList" /> >>> >>> <util:list id="monitorsList"> >>> <bean class="org.jasig.cas.monitor.MemoryMonitor" >>> p:freeMemoryWarnThreshold="10" /> >>> <bean class="org.jasig.cas.monitor.SessionMonitor" >>> p:ticketRegistry-ref="ticketRegistry" >>> p:serviceTicketCountWarnThreshold="5000" >>> p:sessionCountWarnThreshold="100000" /> >>> </util:list> >>> </beans> >>> >>> >>> >>> On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <[email protected]> >>> wrote: >>> >>>> You do not need to define an attribute repository at all. Your >>>> attribute repository *is* your handler, since it’s acting as a >>>> repository of user attributes for you. (It is possible to merge the >>>> attributes your handler returns and the attributes of a separate >>>> repository, but I don’t think you want that in this case) >>>> >>>> >>>> >>>> So, you need to ensure: >>>> >>>> >>>> >>>> 1. Your attribute repository is nulled out, and its associated >>>> resolver is nulled out. See >>>> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >>>> >>>> 2. You need to ensure you are pointing to the correct endpoint >>>> for attributes, whether that is SAML or CAS. >>>> >>>> >>>> >>>> If none of that works, change your log levels for org.jasig.cas to >>>> DEBUG and that should tell you the full story. >>>> >>>> >>>> >>>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John >>>> Bruestle >>>> *Sent:* Wednesday, January 6, 2016 12:14 PM >>>> *To:* Misagh Moayyed <[email protected]> >>>> *Cc:* CAS Community <[email protected]> >>>> >>>> *Subject:* Re: [cas-user] Returning userid in Validation Response >>>> >>>> >>>> >>>> I wasn't erally expecting to change the username provided, although >>>> that would be OK. I was just expecting to add an other data item to what >>>> the validation response returnd. >>>> >>>> >>>> >>>> Anyway, I tried changing to: >>>> >>>> >>>> >>>> "usernameAttributeProvider" : { >>>> >>>> "@class" : >>>> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >>>> >>>> "usernameAttribute" : "def" >>>> >>>> }, >>>> >>>> "attributeReleasePolicy" : { >>>> >>>> "@class" : >>>> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", >>>> >>>> "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" >>>> ] ] >>>> >>>> }, >>>> >>>> >>>> >>>> And I am still not seeing the test "def" attribute I created in my >>>> Authentication Handler by going: >>>> >>>> >>>> >>>> final Map<String, Object> attributes = new >>>> HashMap<>(); >>>> >>>> attributes.put("abc", "123"); >>>> >>>> attributes.put("def", "456"); >>>> >>>> >>>> >>>> I do wonder if I am suppose to be defining a different attribute >>>> repository. Right now my deployerConfigContext.xml contains: >>>> >>>> >>>> >>>> <bean id="attributeRepository" >>>> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" >>>> >>>> p:backingMap-ref="attrRepoBackingMap" /> >>>> >>>> >>>> >>>> <util:map id="attrRepoBackingMap"> >>>> >>>> <entry key="uid" value="uid" /> >>>> >>>> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" >>>> /> >>>> >>>> <entry key="groupMembership" value="groupMembership" /> >>>> >>>> <entry> >>>> >>>> <key><value>memberOf</value></key> >>>> >>>> <list> >>>> >>>> <value>faculty</value> >>>> >>>> <value>staff</value> >>>> >>>> <value>org</value> >>>> >>>> </list> >>>> >>>> </entry> >>>> >>>> </util:map> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <[email protected]> >>>> wrote: >>>> >>>> Because you told your service to use the default CAS behavior when >>>> returning usernames, via: "@class" : >>>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >>>> >>>> You never told it which attribute should be used as the username. It >>>> cannot know that without your direct instructions. >>>> >>>> >>>> >>>> If you go back to the original link I sent you, that should help >>>> describe what options are available for providing usernames for registered >>>> services. Pick the one that works on an attribute. >>>> >>>> >>>> >>>> *From:* John Bruestle [mailto:[email protected]] >>>> *Sent:* Tuesday, January 5, 2016 3:19 PM >>>> *To:* CAS Community <[email protected]> >>>> *Cc:* [email protected] >>>> >>>> *Subject:* Re: [cas-user] Returning userid in Validation Response >>>> >>>> >>>> >>>> Thank you for your help. I think I am getting closer: >>>> >>>> >>>> >>>> As a test, I changed the bottom of my AuthenticationHandler to: >>>> >>>> >>>> >>>> final Map<String, Object> attributes = new >>>> HashMap<>(); >>>> >>>> attributes.put("abc", "123"); >>>> >>>> attributes.put("def", "456"); >>>> >>>> >>>> >>>> return createHandlerResult(credential, >>>> this.principalFactory.createPrincipal(username,attributes), null) >>>> >>>> >>>> >>>> And I updated the service definition to: >>>> >>>> >>>> >>>> { >>>> >>>> "@class" : "org.jasig.cas.services.RegexRegisteredService", >>>> >>>> "serviceId" : "^http://localhost/bonfire/cas/.*";, >>>> >>>> "name" : "Bonfire Development", >>>> >>>> "id" : 10000017, >>>> >>>> "description" : "Bonfire Development CAS Single Sign-On", >>>> >>>> "proxyPolicy" : { >>>> >>>> "@class" : >>>> "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" >>>> >>>> }, >>>> >>>> "evaluationOrder" : 0, >>>> >>>> "usernameAttributeProvider" : { >>>> >>>> "@class" : >>>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >>>> >>>> }, >>>> >>>> "logoutType" : "BACK_CHANNEL", >>>> >>>> "attributeReleasePolicy" : { >>>> >>>> "@class" : "org.jasig.cas.services.*ReturnAllAttributeReleasePolic* >>>> y" >>>> >>>> }, >>>> >>>> "accessStrategy" : { >>>> >>>> "@class" : >>>> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", >>>> >>>> "enabled" : true, >>>> >>>> "ssoEnabled" : true >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> >>>> Only problem is that I am still just seeing only the the "user" >>>> attribute in the validation response. Is there something more I need to >>>> configure? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote: >>>> >>>> Since you are on 4.1, your authentication handler is able to create the >>>> principal with all the attributes it needs. So, as long as your handler is >>>> stuffing that attribute into the final Principal that is created, you >>>> should be able to dictate to a service that the attribute should be used in >>>> the final response. >>>> >>>> >>>> >>>> See this as an example of how LDAP AuthN adds attributes: >>>> >>>> >>>> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196 >>>> >>>> >>>> >>>> Have yours do the same. You simply need to decide what the attribute >>>> name should be, and stuff it into a map that the principal carries for >>>> attributes. >>>> >>>> >>>> >>>> This is also relevant: >>>> >>>> >>>> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >>>> >>>> >>>> >>>> *From:* [email protected] [mailto:[email protected] >>>> <[email protected]>] *On Behalf Of *John Bruestle >>>> *Sent:* Tuesday, January 5, 2016 11:11 AM >>>> *To:* CAS Community <[email protected]> >>>> *Cc:* [email protected] >>>> *Subject:* Re: [cas-user] Returning userid in Validation Response >>>> >>>> >>>> >>>> Thanks. Yes, that tells me how to configure the response so it will >>>> show the specific attributes I want, but it doesn't tell me how to create >>>> the attributes. In my case, I'm getting a userid returned by the store >>>> procedure I'm calling in my AuthenticationHandler, when authenticating. >>>> I'd like to add code there, at the point that I know the userid, to store >>>> (resolve?) it as an attribute. How do I do that? >>>> >>>> >>>> >>>> >>>> >>>> On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote: >>>> >>>> See if this helps: >>>> >>>> https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html >>>> >>>> >>>> >>>> Section “Principal-Id Attribute”. >>>> >>>> >>>> >>>> *From:* [email protected] [mailto:[email protected] >>>> <[email protected]>] *On Behalf Of *John Bruestle >>>> *Sent:* Tuesday, January 5, 2016 9:02 AM >>>> *To:* CAS Community <[email protected]> >>>> *Subject:* [cas-user] Returning userid in Validation Response >>>> >>>> >>>> >>>> My system's usernames used for logins are not the same as the unique >>>> userid's used by the database. In fact, usernames aren't necessarily >>>> unique and sometimes require the password to determine the specific >>>> userid. I need my validation response to return the userid. >>>> >>>> >>>> >>>> I already have a custom AuthenticationHandler, which implements >>>> AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly >>>> authenticating using a MSSQL stored procedure. One of the byproducts of >>>> calling the procedure is the userid, so that in the AuthenticationHandler >>>> we do know what the userid is. >>>> >>>> >>>> >>>> From my reading, it seems that there may be a way to store the userid >>>> away as an attribute, which could later be used as part of the validation >>>> response. I'm stuck however trying to figure out how to do this. I would >>>> appreciate some pointers, especially if they came with the specific XML >>>> files I need to modify and the functions I should call from within my >>>> AuthenticationHandler to store the attribute. >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> John Bruestle >>>> [email protected] >>>> (609) 737-7250 >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> >>> >>> >>> >>> -- >>> John Bruestle >>> [email protected] >>> (609) 737-7250 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> >>> >> >> >> -- >> John Bruestle >> [email protected] >> (609) 737-7250 >> >> > > > -- > John Bruestle > [email protected] > (609) 737-7250 > > -- John Bruestle [email protected] (609) 737-7250 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
