Adding a logger for the PolicyBasedAuthenticationManager does show the
principals being being populated. Thanks for the information :-)
I tried dropping back to just a stub attributeRepository bean:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="user" />
<entry key="mail" value="email" />
<entry key="cn" value="displayName" />
<entry key="eduPersonPrincipalName"
value="eduPersonPrincipalName" />
</util:map>
and what I see in the logs is that rather than containing values mapped
to the names the mapping variables are mapping and returning the
attribute names instead:
2014-09-02 14:16:08,601 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [uid[rat9]]>
2014-09-02 14:16:08,601 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [mail[regina.t...@case.edu]]>
2014-09-02 14:16:08,602 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [cn[Register Test]]>
2014-09-02 14:16:08,602 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [eduPersonPrincipalName[r...@demo.case.edu]]>
2014-09-02 14:16:08,603 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler successfully authenticated rat9+password>
2014-09-02 14:16:08,603 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] -
<Attempting to resolve a principal...>
2014-09-02 14:16:08,603 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] -
<Creating SimplePrincipal for [rat9]>
2014-09-02 14:16:08,604 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@b88dbe
resolved rat9 from rat9+password>
2014-09-02 14:16:08,605 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Authenticated rat9 with credentials [rat9+password].>
2014-09-02 14:16:08,605 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Attribute map for rat9: *{displayName=cn,
eduPersonPrincipalName=eduPersonPrincipalName, user=uid, email=mail}*>
Unless there is some way to force the actual values into the stub
mapping, it looks like you MUST do the additional search. It's not as
bad as it could be since I am reusing the authentication search
connection pool to grab the information, so instead of opening a
connection and doing a search, I am just doing the search.
Dave
On 8/29/14 4:32 PM, Marvin Addison wrote:
>> In short, is there some way to dump the
>> principal after authentication, or some other way to tell if the
>> attributes have been properly stored.
> PolicyBasedAuthenticationManager logs the resolved principal at DEBUG:
>
> logger.info("Authenticated {} with credentials {}.", principal,
> Arrays.asList(credentials));
> logger.debug("Attribute map for {}: {}", principal.getId(),
> principal.getAttributes());
>
> Turning up org.jasig.cas.authentication to DEBUG would print out the
> information you need to definitively show whether the attributes you
> expect are in the principal.
>
>> This is the definition of the "primaryPrincipalResolver" that seems to
>> finally be working:
>>
>> <!--
>> | Resolves a principal from a credential using an attribute
>> repository that is configured to resolve
>> | against a deployer-specific store (e.g. LDAP).
>> -->
>> <bean id="primaryPrincipalResolver"
>>
>> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
>> <property name="attributeRepository" ref="attributeRepository" />
>> </bean>
> While I imagine that it does work, it's not efficient since you're
> effectively doing attribute resolution twice. The handler can resolve
> attributes on the same connection as that used for authentication;
> with PersonDirectoryPrincipalResolver, you're opening a new connection
> to do it again. The wrinkle is that you MUST define an
> attributeRepository bean for use by other system components, but you
> should probably use a StubPersonAttributeDao [1] bean that simply has
> the attribute mapping.
>
> M
>
> [1]
> http://developer.jasig.org/projects/person-directory/1.1.1/apidocs/org/jasig/services/persondir/support/StubPersonAttributeDao.html
>
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
