Many thanks. I did have that in there at one point. I just changed it
back to:
final Map<String, Object> attributes = new HashMap<>();
attributes.put("abc", "123");
attributes.put("def", "456");
return createHandlerResult(credential,
this.principalFactory.createPrincipal(username), null);
and I am now seeing "456" as the user field in the validation response.
This is undoubtedly because of mu service definition which reads:
"usernameAttributeProvider" : {
"@class" :
"org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "def"
},
Now I just want to figure out what I need to do to get the other attributes
(in this case "abc") to be included. I thought the following would make
that happen:
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy"
},
but it's not working.
On Thu, Jan 7, 2016 at 12:29 PM, Misagh Moayyed <[email protected]> wrote:
> I just noticed something; you said you have the following:
>
>
>
> final Map<String, Object> attributes = new HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
> return createHandlerResult(credential,
> this.principalFactory.createPrincipal(username), null);
>
>
>
>
>
> Of course, you are not getting attributes, because you don’t do anything
> with your attributes. It’s not passed to anything. If you go back to my
> original example of the Ldap authentication handler, you will find that
> attributes are passed. You are not doing that.
>
>
> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L273
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John
> Bruestle
> *Sent:* Thursday, January 7, 2016 10:13 AM
>
> *To:* Misagh Moayyed <[email protected]>
> *Cc:* CAS Community <[email protected]>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Misgah,
>
>
>
> Perhaps. I am still hoping someone in the group will be able to show me
> lines of code and xml that show me how to get attributes created in the
> AuthenticationHandler via the "attributes" parameter of s
> principalFactory.createPrincipal call to show up in the
> validationResponse. The documentation doesn't really explain this and
> Google isn't finding me any example code.
>
> Based on your advice, I'll dig into the logs, but I really don't have any
> confidence. that I have the necessary configuration in place for that to be
> of much use.
>
> For now, I have been able to get my user id by changing the last line in
> the AuthenticationHandler to:
>
>
>
> return createHandlerResult(credential,
> this.principalFactory.createPrincipal(userid), null);
>
>
>
> So I am getting userid instead of username. Ideally though, I'd like to
> get both.
>
>
>
>
>
>
>
>
>
> On Thu, Jan 7, 2016 at 3:47 AM, Misagh Moayyed <[email protected]>
> wrote:
>
> At this point, you’re going to have to up the logs to DEBUG and watch what
> happens.
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John
> Bruestle
> *Sent:* Wednesday, January 6, 2016 3:19 PM
> *To:* Dmitriy Kopylenko <[email protected]>
> *Cc:* Misagh Moayyed <[email protected]>; CAS Community <
> [email protected]>
>
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> I do get more back when I call p3/serviceValidate, but cas:user still has
> the username in it.
>
>
>
> On Wed, Jan 6, 2016 at 5:12 PM, John Bruestle <[email protected]>
> wrote:
>
> Without the use of a client library.
>
>
>
> On Wed, Jan 6, 2016 at 5:11 PM, John Bruestle <[email protected]>
> wrote:
>
> I'm calling : /serviceValidate
>
>
>
> On Wed, Jan 6, 2016 at 4:46 PM, Dmitriy Kopylenko <[email protected]>
> wrote:
>
> Are you manually calling CAS server validation endpoint or using CAS
> client library? In other words - how do you get that validation XML
> response that you are showing?
>
>
>
> Few pointers - for validation, CAS4 has 4 (I believe off the top of my
> head):
>
>
>
> 1) Legacy: /validate
>
> 2) CAS2 protocol: /serviceValidate
>
> 3) CAS3 protocol: /p3/serviceValidate
>
> 4) SAML: /samlValidate
>
>
>
> there are also proxy validation stuff, but let's skip that for this
> conversation.
>
>
>
> Attributes in validation response are only supported by SAML and p3
> endpoints. I think you'd need to make sure you configure your CAS client
> library to use that. And I only know of the latest CAS Java client supports
> p3 validation, but have no idea of any other client libraries updated to
> support that.
>
>
>
> Hope that gives you a few more pointers.
>
>
>
> Best,
>
> Dmitriy.
>
>
>
>
>
> Sent from my iPhone
>
>
> On Jan 6, 2016, at 16:34, John Bruestle <[email protected]> wrote:
>
> Thanks. I updated the Authentication Manager configuration to read:
>
>
>
> <entry key-ref="primaryAuthenticationHandler" value="#{null}" />
>
>
>
> I am not sure how I how or where I would "ensure you are pointing to the
> correct endpoint for attributes, whether that is SAML or CAS", so I'm not
> sure about that
>
>
>
> My Authentication Handler is setting attributes using:
>
>
>
> final Map<String, Object> attributes = new HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
> return createHandlerResult(credential,
> this.principalFactory.createPrincipal(username), null);
>
>
>
> But I am still getting the username in my Validation Response:
>
>
>
> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";>
>
> <cas:authenticationSuccess>
>
> <cas:user>john</cas:user>
>
> </cas:authenticationSuccess>
>
> </cas:serviceResponse>
>
>
>
> Here is my service definiteion:
>
>
>
> {
>
> "@class" : "org.jasig.cas.services.RegexRegisteredService",
>
> "serviceId" : "^http://localhost/bonfire/cas/.*";,
>
> "name" : "Bonfire Development",
>
> "id" : 10000017,
>
> "description" : "Bonfire Development CAS Single Sign-On 2",
>
> "proxyPolicy" : {
>
> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
>
> },
>
> "evaluationOrder" : 0,
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "def"
>
> },
>
> "attributeReleasePolicy" : {
>
> "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy"
>
> },
>
> "logoutType" : "BACK_CHANNEL"
>
>
>
>
>
>
>
> Here is my entire deployerConfigContext.xml;
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
>
>
> <beans xmlns="http://www.springframework.org/schema/beans";
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>
> xmlns:p="http://www.springframework.org/schema/p";
>
> xmlns:c="http://www.springframework.org/schema/c";
>
> xmlns:tx="http://www.springframework.org/schema/tx";
>
> xmlns:util="http://www.springframework.org/schema/util";
>
> xmlns:sec="http://www.springframework.org/schema/security";
>
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
>
> http://www.springframework.org/schema/tx
> http://www.springframework.org/schema/tx/spring-tx.xsd
>
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security.xsd
>
> http://www.springframework.org/schema/util
> http://www.springframework.org/schema/util/spring-util.xsd";>
>
>
>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
>
> <constructor-arg>
>
> <map>
>
> <entry key-ref="proxyAuthenticationHandler"
> value-ref="proxyPrincipalResolver" />
>
> <entry key-ref="primaryAuthenticationHandler"
> value="#{null}" />
>
> </map>
>
> </constructor-arg>
>
>
>
> <property name="authenticationPolicy">
>
> <bean
> class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
>
> </property>
>
> </bean>
>
>
>
> <!-- Required for proxy ticket mechanism. -->
>
> <bean id="proxyAuthenticationHandler"
>
>
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
>
> p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient"
> />
>
>
>
> <bean id="dataSource"
> class="org.springframework.jdbc.datasource.DriverManagerDataSource">
>
> <property name="driverClassName" value="net.sourceforge.jtds.jdbc.Driver"/>
>
> <property name="url"
> value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/>
>
> <property name="username" value="xxxxx"/>
>
> <property name="password" value="xxxxxxxxxxxx"/>
>
> </bean>
>
>
>
> <bean id="primaryAuthenticationHandler"
>
> class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler"
>
> p:dataSource-ref="dataSource"
>
> p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?"
>
> />
>
> <!-- Required for proxy ticket mechanism -->
>
> <bean id="proxyPrincipalResolver"
>
>
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>
>
>
> <bean id="primaryPrincipalResolver"
>
>
> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
>
> p:principalFactory-ref="principalFactory" />
>
> <bean id="serviceRegistryDao"
> class="org.jasig.cas.services.JsonServiceRegistryDao"
>
>
> c:configDirectory="${service.registry.config.location:classpath:services}"
> />
>
>
>
> <bean id="auditTrailManager"
> class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
>
>
>
> <bean id="healthCheckMonitor"
> class="org.jasig.cas.monitor.HealthCheckMonitor"
> p:monitors-ref="monitorsList" />
>
>
>
> <util:list id="monitorsList">
>
> <bean class="org.jasig.cas.monitor.MemoryMonitor"
> p:freeMemoryWarnThreshold="10" />
>
> <bean class="org.jasig.cas.monitor.SessionMonitor"
>
> p:ticketRegistry-ref="ticketRegistry"
>
> p:serviceTicketCountWarnThreshold="5000"
>
> p:sessionCountWarnThreshold="100000" />
>
> </util:list>
>
> </beans>
>
>
>
>
>
>
>
> On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <[email protected]>
> wrote:
>
> You do not need to define an attribute repository at all. Your attribute
> repository *is* your handler, since it’s acting as a repository of user
> attributes for you. (It is possible to merge the attributes your handler
> returns and the attributes of a separate repository, but I don’t think you
> want that in this case)
>
>
>
> So, you need to ensure:
>
>
>
> 1. Your attribute repository is nulled out, and its associated
> resolver is nulled out. See
> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
>
> 2. You need to ensure you are pointing to the correct endpoint for
> attributes, whether that is SAML or CAS.
>
>
>
> If none of that works, change your log levels for org.jasig.cas to DEBUG
> and that should tell you the full story.
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John
> Bruestle
> *Sent:* Wednesday, January 6, 2016 12:14 PM
> *To:* Misagh Moayyed <[email protected]>
> *Cc:* CAS Community <[email protected]>
>
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> I wasn't erally expecting to change the username provided, although that
> would be OK. I was just expecting to add an other data item to what the
> validation response returnd.
>
>
>
> Anyway, I tried changing to:
>
>
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "def"
>
> },
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" ] ]
>
> },
>
>
>
> And I am still not seeing the test "def" attribute I created in my
> Authentication Handler by going:
>
>
>
> final Map<String, Object> attributes = new
> HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
>
>
> I do wonder if I am suppose to be defining a different attribute
> repository. Right now my deployerConfigContext.xml contains:
>
>
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
>
> p:backingMap-ref="attrRepoBackingMap" />
>
>
>
> <util:map id="attrRepoBackingMap">
>
> <entry key="uid" value="uid" />
>
> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
>
> <entry key="groupMembership" value="groupMembership" />
>
> <entry>
>
> <key><value>memberOf</value></key>
>
> <list>
>
> <value>faculty</value>
>
> <value>staff</value>
>
> <value>org</value>
>
> </list>
>
> </entry>
>
> </util:map>
>
>
>
>
>
>
>
> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <[email protected]>
> wrote:
>
> Because you told your service to use the default CAS behavior when
> returning usernames, via: "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
> You never told it which attribute should be used as the username. It
> cannot know that without your direct instructions.
>
>
>
> If you go back to the original link I sent you, that should help describe
> what options are available for providing usernames for registered services.
> Pick the one that works on an attribute.
>
>
>
> *From:* John Bruestle [mailto:[email protected]]
> *Sent:* Tuesday, January 5, 2016 3:19 PM
> *To:* CAS Community <[email protected]>
> *Cc:* [email protected]
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Thank you for your help. I think I am getting closer:
>
>
>
> As a test, I changed the bottom of my AuthenticationHandler to:
>
>
>
> final Map<String, Object> attributes = new
> HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
>
>
> return createHandlerResult(credential,
> this.principalFactory.createPrincipal(username,attributes), null)
>
>
>
> And I updated the service definition to:
>
>
>
> {
>
> "@class" : "org.jasig.cas.services.RegexRegisteredService",
>
> "serviceId" : "^http://localhost/bonfire/cas/.*";,
>
> "name" : "Bonfire Development",
>
> "id" : 10000017,
>
> "description" : "Bonfire Development CAS Single Sign-On",
>
> "proxyPolicy" : {
>
> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
>
> },
>
> "evaluationOrder" : 0,
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
> },
>
> "logoutType" : "BACK_CHANNEL",
>
> "attributeReleasePolicy" : {
>
> "@class" : "org.jasig.cas.services.*ReturnAllAttributeReleasePolic*y"
>
> },
>
> "accessStrategy" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "ssoEnabled" : true
>
> }
>
> }
>
>
>
> Only problem is that I am still just seeing only the the "user" attribute
> in the validation response. Is there something more I need to configure?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote:
>
> Since you are on 4.1, your authentication handler is able to create the
> principal with all the attributes it needs. So, as long as your handler is
> stuffing that attribute into the final Principal that is created, you
> should be able to dictate to a service that the attribute should be used in
> the final response.
>
>
>
> See this as an example of how LDAP AuthN adds attributes:
>
>
> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196
>
>
>
> Have yours do the same. You simply need to decide what the attribute name
> should be, and stuff it into a map that the principal carries for
> attributes.
>
>
>
> This is also relevant:
>
>
> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
>
>
>
> *From:* [email protected] [mailto:[email protected] <[email protected]>]
> *On Behalf Of *John Bruestle
> *Sent:* Tuesday, January 5, 2016 11:11 AM
> *To:* CAS Community <[email protected]>
> *Cc:* [email protected]
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Thanks. Yes, that tells me how to configure the response so it will show
> the specific attributes I want, but it doesn't tell me how to create the
> attributes. In my case, I'm getting a userid returned by the store
> procedure I'm calling in my AuthenticationHandler, when authenticating.
> I'd like to add code there, at the point that I know the userid, to store
> (resolve?) it as an attribute. How do I do that?
>
>
>
>
>
> On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote:
>
> See if this helps:
>
> https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html
>
>
>
> Section “Principal-Id Attribute”.
>
>
>
> *From:* [email protected] [mailto:[email protected] <[email protected]>]
> *On Behalf Of *John Bruestle
> *Sent:* Tuesday, January 5, 2016 9:02 AM
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] Returning userid in Validation Response
>
>
>
> My system's usernames used for logins are not the same as the unique
> userid's used by the database. In fact, usernames aren't necessarily
> unique and sometimes require the password to determine the specific
> userid. I need my validation response to return the userid.
>
>
>
> I already have a custom AuthenticationHandler, which implements
> AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly
> authenticating using a MSSQL stored procedure. One of the byproducts of
> calling the procedure is the userid, so that in the AuthenticationHandler
> we do know what the userid is.
>
>
>
> From my reading, it seems that there may be a way to store the userid away
> as an attribute, which could later be used as part of the validation
> response. I'm stuck however trying to figure out how to do this. I would
> appreciate some pointers, especially if they came with the specific XML
> files I need to modify and the functions I should call from within my
> AuthenticationHandler to store the attribute.
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
--
John Bruestle
[email protected]
(609) 737-7250
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
