At this point, you’re going to have to up the logs to DEBUG and watch what happens.
From: [email protected] [mailto:[email protected]] On Behalf Of John Bruestle Sent: Wednesday, January 6, 2016 3:19 PM To: Dmitriy Kopylenko <[email protected]> Cc: Misagh Moayyed <[email protected]>; CAS Community <[email protected]> Subject: Re: [cas-user] Returning userid in Validation Response I do get more back when I call p3/serviceValidate, but cas:user still has the username in it. On Wed, Jan 6, 2016 at 5:12 PM, John Bruestle <[email protected] <mailto:[email protected]> > wrote: Without the use of a client library. On Wed, Jan 6, 2016 at 5:11 PM, John Bruestle <[email protected] <mailto:[email protected]> > wrote: I'm calling : /serviceValidate On Wed, Jan 6, 2016 at 4:46 PM, Dmitriy Kopylenko <[email protected] <mailto:[email protected]> > wrote: Are you manually calling CAS server validation endpoint or using CAS client library? In other words - how do you get that validation XML response that you are showing? Few pointers - for validation, CAS4 has 4 (I believe off the top of my head): 1) Legacy: /validate 2) CAS2 protocol: /serviceValidate 3) CAS3 protocol: /p3/serviceValidate 4) SAML: /samlValidate there are also proxy validation stuff, but let's skip that for this conversation. Attributes in validation response are only supported by SAML and p3 endpoints. I think you'd need to make sure you configure your CAS client library to use that. And I only know of the latest CAS Java client supports p3 validation, but have no idea of any other client libraries updated to support that. Hope that gives you a few more pointers. Best, Dmitriy. Sent from my iPhone On Jan 6, 2016, at 16:34, John Bruestle <[email protected] <mailto:[email protected]> > wrote: Thanks. I updated the Authentication Manager configuration to read: <entry key-ref="primaryAuthenticationHandler" value="#{null}" /> I am not sure how I how or where I would "ensure you are pointing to the correct endpoint for attributes, whether that is SAML or CAS", so I'm not sure about that My Authentication Handler is setting attributes using: final Map<String, Object> attributes = new HashMap<>(); attributes.put("abc", "123"); attributes.put("def", "456"); return createHandlerResult(credential, this.principalFactory.createPrincipal(username), null); But I am still getting the username in my Validation Response: <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> <cas:authenticationSuccess> <cas:user>john</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> Here is my service definiteion: { "@class" : "org.jasig.cas.services.RegexRegisteredService", "serviceId" : "^http://localhost/bonfire/cas/.*";, "name" : "Bonfire Development", "id" : 10000017, "description" : "Bonfire Development CAS Single Sign-On 2", "proxyPolicy" : { "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" }, "evaluationOrder" : 0, "usernameAttributeProvider" : { "@class" : "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "def" }, "attributeReleasePolicy" : { "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" }, "logoutType" : "BACK_CHANNEL" Here is my entire deployerConfigContext.xml; <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:c="http://www.springframework.org/schema/c"; xmlns:tx="http://www.springframework.org/schema/tx"; xmlns:util="http://www.springframework.org/schema/util"; xmlns:sec="http://www.springframework.org/schema/security"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="primaryAuthenticationHandler" value="#{null}" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <!-- Required for proxy ticket mechanism. --> <bean id="proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" /> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="net.sourceforge.jtds.jdbc.Driver"/> <property name="url" value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/> <property name="username" value="xxxxx"/> <property name="password" value="xxxxxxxxxxxx"/> </bean> <bean id="primaryAuthenticationHandler" class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler" p:dataSource-ref="dataSource" p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?" /> <!-- Required for proxy ticket mechanism --> <bean id="proxyPrincipalResolver" class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> <bean id="primaryPrincipalResolver" class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" p:principalFactory-ref="principalFactory" /> <bean id="serviceRegistryDao" class="org.jasig.cas.services.JsonServiceRegistryDao" c:configDirectory="${service.registry.config.location:classpath:services}" /> <bean id="auditTrailManager" class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> <util:list id="monitorsList"> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </util:list> </beans> On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <[email protected] <mailto:[email protected]> > wrote: You do not need to define an attribute repository at all. Your attribute repository is your handler, since it’s acting as a repository of user attributes for you. (It is possible to merge the attributes your handler returns and the attributes of a separate repository, but I don’t think you want that in this case) So, you need to ensure: 1. Your attribute repository is nulled out, and its associated resolver is nulled out. See https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler 2. You need to ensure you are pointing to the correct endpoint for attributes, whether that is SAML or CAS. If none of that works, change your log levels for org.jasig.cas to DEBUG and that should tell you the full story. From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of John Bruestle Sent: Wednesday, January 6, 2016 12:14 PM To: Misagh Moayyed <[email protected] <mailto:[email protected]> > Cc: CAS Community <[email protected] <mailto:[email protected]> > Subject: Re: [cas-user] Returning userid in Validation Response I wasn't erally expecting to change the username provided, although that would be OK. I was just expecting to add an other data item to what the validation response returnd. Anyway, I tried changing to: "usernameAttributeProvider" : { "@class" : "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "def" }, "attributeReleasePolicy" : { "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" ] ] }, And I am still not seeing the test "def" attribute I created in my Authentication Handler by going: final Map<String, Object> attributes = new HashMap<>(); attributes.put("abc", "123"); attributes.put("def", "456"); I do wonder if I am suppose to be defining a different attribute repository. Right now my deployerConfigContext.xml contains: <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> <entry> <key><value>memberOf</value></key> <list> <value>faculty</value> <value>staff</value> <value>org</value> </list> </entry> </util:map> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <[email protected] <mailto:[email protected]> > wrote: Because you told your service to use the default CAS behavior when returning usernames, via: "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" You never told it which attribute should be used as the username. It cannot know that without your direct instructions. If you go back to the original link I sent you, that should help describe what options are available for providing usernames for registered services. Pick the one that works on an attribute. From: John Bruestle [mailto:[email protected] <mailto:[email protected]> ] Sent: Tuesday, January 5, 2016 3:19 PM To: CAS Community <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> Subject: Re: [cas-user] Returning userid in Validation Response Thank you for your help. I think I am getting closer: As a test, I changed the bottom of my AuthenticationHandler to: final Map<String, Object> attributes = new HashMap<>(); attributes.put("abc", "123"); attributes.put("def", "456"); return createHandlerResult(credential, this.principalFactory.createPrincipal(username,attributes), null) And I updated the service definition to: { "@class" : "org.jasig.cas.services.RegexRegisteredService", "serviceId" : "^http://localhost/bonfire/cas/.*";, "name" : "Bonfire Development", "id" : 10000017, "description" : "Bonfire Development CAS Single Sign-On", "proxyPolicy" : { "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" }, "evaluationOrder" : 0, "usernameAttributeProvider" : { "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" }, "logoutType" : "BACK_CHANNEL", "attributeReleasePolicy" : { "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" }, "accessStrategy" : { "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true } } Only problem is that I am still just seeing only the the "user" attribute in the validation response. Is there something more I need to configure? On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote: Since you are on 4.1, your authentication handler is able to create the principal with all the attributes it needs. So, as long as your handler is stuffing that attribute into the final Principal that is created, you should be able to dictate to a service that the attribute should be used in the final response. See this as an example of how LDAP AuthN adds attributes: https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196 Have yours do the same. You simply need to decide what the attribute name should be, and stuff it into a map that the principal carries for attributes. This is also relevant: https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of John Bruestle Sent: Tuesday, January 5, 2016 11:11 AM To: CAS Community <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> Subject: Re: [cas-user] Returning userid in Validation Response Thanks. Yes, that tells me how to configure the response so it will show the specific attributes I want, but it doesn't tell me how to create the attributes. In my case, I'm getting a userid returned by the store procedure I'm calling in my AuthenticationHandler, when authenticating. I'd like to add code there, at the point that I know the userid, to store (resolve?) it as an attribute. How do I do that? On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote: See if this helps: https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html Section “Principal-Id Attribute”. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of John Bruestle Sent: Tuesday, January 5, 2016 9:02 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: [cas-user] Returning userid in Validation Response My system's usernames used for logins are not the same as the unique userid's used by the database. In fact, usernames aren't necessarily unique and sometimes require the password to determine the specific userid. I need my validation response to return the userid. I already have a custom AuthenticationHandler, which implements AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly authenticating using a MSSQL stored procedure. One of the byproducts of calling the procedure is the userid, so that in the AuthenticationHandler we do know what the userid is. >From my reading, it seems that there may be a way to store the userid away as an attribute, which could later be used as part of the validation response. I'm stuck however trying to figure out how to do this. I would appreciate some pointers, especially if they came with the specific XML files I need to modify and the functions I should call from within my AuthenticationHandler to store the attribute. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- John Bruestle [email protected] <mailto:[email protected]> (609) 737-7250 <tel:%28609%29%20737-7250> -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- John Bruestle [email protected] <mailto:[email protected]> (609) 737-7250 <tel:%28609%29%20737-7250> -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- John Bruestle [email protected] <mailto:[email protected]> (609) 737-7250 <tel:%28609%29%20737-7250> -- John Bruestle [email protected] <mailto:[email protected]> (609) 737-7250 <tel:%28609%29%20737-7250> -- John Bruestle [email protected] <mailto:[email protected]> (609) 737-7250 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
