[cas-user] Attribute resolved but not released?

Chris Irwin Thu, 03 Sep 2015 09:01:00 -0700

After some reconfigurations I was able to get the attribute map to populate:



2015-09-03 11:34:19,142 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] 
- Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth
2015-09-03 11:35:49,483 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered 
services.
2015-09-03 11:35:49,483 DEBUG 
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service 
^(https?|imaps?)://.*
2015-09-03 11:35:49,483 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services.
2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] 
- Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth
2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] 
- Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth
2015-09-03 11:36:56,144 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP 
authentication for 2233445+password
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@1429278053::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 
ldapEntry=[dn=CN=2233445,OU=PeopleSoft_UGrads,DC=students,dc=root,dc=njcu[[legacyExchangeDN[/o=First
 Organization/ou=Exchange Administrative Group 
(FYDIBOHF23SPDLT)/cn=Recipients/cn=2233445557]], [mail[asa...@njcu.edu]], 
[proxyAddresses[SMTP:asa...@njcu.edu, smtp:asa...@live.njcu.edu, 
smtp:asa...@exchange.njcu.edu]], [uSNCreated[59219964]], 
[whenChanged[20150828141421.0Z]], [objectClass[top, person, 
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Apple]], 
[objectGUID[BbC~1?uF??!%??]], [extensionAttribute15[GALEnabled]], 
[instanceType[0]], [objectSid[        ~dS?0n?.?^?M ]], 
[whenCreated[20150810155326.0Z]], [msExchHideFromAddressLists[TRUE]], 
[dSCorePropagationData[16010101000000.0Z]], [sn[Sauce]], 
[userAccountControl[66048]], [lastLogonTimestamp[130852448531619587]], 
[mailNickname[ASauce]], [msExchRecipientTypeDetails[128]], [cn[2233445]], 
[msExchRecipientDisplayType[6]], [sAMAccountName[2233445]], 
[targetAddress[SMTP:asa...@live.njcu.edu]], [sAMAccountType[805306368]], 
[userPrincipalName[asa...@njcu.edu]], [showInAddressBook[CN=All Mail 
Users(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First 
Organization,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu, CN=All 
Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First 
Organization,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu]], [displayName[Apple 
Sauce]], [pwdLastSet[130852448484974989]], [name[2233445]], 
[msExchPoliciesExcluded[{26491cfc-9e50-4857-861b-0cb8df22b5d7}]], 
[msExchUMDtmfMap[emailAddress:272823, lastNameFirstName:2233445, 
firstNameLastName:2233445]], 
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], 
[distinguishedName[CN=2233445,OU=PeopleSoft_UGrads,DC=students,DC=root,DC=njcu]],
 [internetEncoding[1310720]], [msExchVersion[44220983382016]], 
[uSNChanged[60537450]]], responseControls=null, messageId=-1], 
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[2233445]]
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[2233445]]
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Apple]]
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Sauce]]
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[asa...@njcu.edu]]
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Apple Sauce]]
2015-09-03 11:36:56,175 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
LdapAuthenticationHandler successfully authenticated 2233445+password
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - No resolver 
configured for LdapAuthenticationHandler. Falling back to handler principal 
2233445
2015-09-03 11:36:56,175 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated 
2233445 with credentials [2233445+password].
2015-09-03 11:36:56,175 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map 
for 2233445: {userName=2233445, Student ID=2233445, First Name=Apple, Last 
Name=Sauce, email=asa...@njcu.edu, displayName=Apple Sauce}
2015-09-03 11:36:56,175 INFO 
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail 
record BEGIN


This is a step in the right direction but it doesn't appear that it's being 
released correctly as the response I get back on the app side only shows the 
authentication:


<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>2233445</cas:user>


</cas:authenticationSuccess>
</cas:serviceResponse>


My deployerConfigContext.xml is as follows:


<?xml version="1.0" encoding="UTF-8"?>
<!--

    Licensed to Jasig under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
    Jasig licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.

-->
<beans xmlns="http://www.springframework.org/schema/beans";
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       xmlns:p="http://www.springframework.org/schema/p";
       xmlns:c="http://www.springframework.org/schema/c";
       xmlns:tx="http://www.springframework.org/schema/tx";
       xmlns:util="http://www.springframework.org/schema/util";
       xmlns:sec="http://www.springframework.org/schema/security";
    xmlns:context="http://www.springframework.org/schema/context";
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
       http://www.springframework.org/schema/tx 
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
       http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security-3.2.xsd
       http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd";>
<!--
    <bean id="authenticationManager" 
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
        <constructor-arg>
            <map>
                <entry key-ref="proxyAuthenticationHandler" 
value-ref="proxyPrincipalResolver" />
    <entry key-ref="ldapAuthenticationHandler" 
value-ref="primaryPrincipalResolver" />
            </map>
        </constructor-arg>
        <property name="authenticationPolicy">
            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" 
/>
        </property>
    </bean> -->
 <bean id="authenticationManager" 
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
        <constructor-arg>
            <list>
                <ref bean="ldapAuthenticationHandler"/>
            </list>
        </constructor-arg>
        <property name="authenticationPolicy">
            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" 
/>
        </property>
    </bean>

    <!-- Required for proxy ticket mechanism. -->
    <bean id="proxyAuthenticationHandler"
          
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
          p:httpClient-ref="httpClient" />

    <bean id="primaryAuthenticationHandler"
          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
        <property name="users">
            <map>
                <entry key="casuser" value="Mellon"/>
            </map>
        </property>
    </bean>

    <!-- Required for proxy ticket mechanism -->
    <bean id="proxyPrincipalResolver"
          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" 
/>

    <!--
       | Resolves a principal from a credential using an attribute repository 
that is configured to resolve
       | against a deployer-specific store (e.g. LDAP).
       -->
    <bean id="primaryPrincipalResolver"
          
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" 
>
        <property name="attributeRepository" ref="attributeRepository" />
    </bean>

    <!--
    Bean that defines the attributes that a service may return.  This example 
uses the Stub/Mock version.  A real implementation
    may go against a database or LDAP server.  The id should remain 
"attributeRepository" though.

    <bean id="attributeRepository" 
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
            p:backingMap-ref="attrRepoBackingMap" />

    <util:map id="attrRepoBackingMap">
        <entry key="uid" value="uid" />
        <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
        <entry key="groupMembership" value="groupMembership" />
    </util:map>
-->
 <bean id="attributeRepository" 
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
    p:baseDN="${ldap.baseDn}"
    p:searchFilter="samAccountName={0}"
    p:searchControls-ref="searchControls"
    p:connectionFactory-ref="searchPooledLdapConnectionFactory"
    p:queryAttributeMapping-ref="queryAttributeMap"
    p:resultAttributeMapping-ref="resultAttributeMap"
    />
  <util:map id="queryAttributeMap">
   <entry key="username" value="sAMAccountName" />
  </util:map>

  <util:map id="resultAttributeMap">
     <entry key="samAccountName" value="userName" />
   <entry key="cn" value="Student ID" />
   <entry key="givenName" value="First Name" />
   <entry key="sn" value="Last Name" />
            <entry key="mail" value="email" />
            <entry key="displayName" value="displayName" />
  </util:map>

    <!--
    Sample, in-memory data store for the ServiceRegistry. A real implementation
    would probably want to replace this with the JPA-backed ServiceRegistry DAO
    The name of this bean should remain "serviceRegistryDao".-->

    <bean id="serviceRegistryDao" 
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
            p:registeredServices-ref="registeredServicesList" />

<!--
 <bean id="serviceRegistryDao" 
class="org.jasig.cas.adaptors.ldap.services.LdapServiceRegistryDao"
   p:connectionFactory-ref="searchPooledLdapConnectionFactory"
   p:ldapServiceMapper-ref="ldapMapper" />
 <bean id="ldapMapper" 
class="org.jasig.cas.adaptors.ldap.services.DefaultLdapServiceMapper"/>

 <bean id="searchRequest" class="org.ldaptive.SearchRequest">
    <property name="baseDn" value="dc=root,dc=njcu" />
    <property name="searchFilter" value="sAMAccountName={0}" />
 </bean>-->
    <util:list id="registeredServicesList">
        <bean class="org.jasig.cas.services.RegexRegisteredService"
              p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and 
IMAP(S) protocols"
              p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" 
/>
     <!--
     <util:list id="registeredServicesList">

        <bean class="org.jasig.cas.services.RegexRegisteredService">
              <property name ="id" value="0" />
     <property name="name" value = "HTTP and IMAP" />
     <property name="description" value = "Allows HTTP(S) and IMAP(S) 
protocols" />
              <property name="serviceId" value="^(https?|imaps?)://.*" />
     <property name="evaluationOrder" value="10000001" />
     <property name="allowedAttributes">
    <list>
     <value>userName</value>
     <value>Student ID</value>
     <value>First Name</value>
     <value>Last Name</value>
     <value>email</value>
     <value>employeeID</value>
    </list>
   </property>
  </bean>

        Use the following definition instead of the above to further restrict 
access
        to services within your domain (including sub domains).
        Note that example.com must be replaced with the domain you wish to 
permit.
        This example also demonstrates the configuration of an attribute filter
        that only allows for attributes whose length is 3.


        <bean class="org.jasig.cas.services.RegexRegisteredService">
            <property name="id" value="1" />
            <property name="name" value="All Websites" />
            <property name="description" value="Allows HTTP(S) sites" />
            <property name="serviceId" value="^(https?)://.*" />
            <property name="evaluationOrder" value="0" />
            <property name="attributeFilter">
              <bean 
class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" 
c:regex="^\w{3}$" />
            </property>
        </bean>

  <bean class="org.jasig.cas.services.RegisteredServiceImpl">
   <property name="id" value="0" />
   <property name="name" value="AwardSpring" />
   <property name="description" value="Your HTTP Service" />
   <property name="serviceId" 
value="https://njcu.awardspring.com/SignIn/CASAuth"; />
   <property name="allowedAttributes">
    <list>
     <value>userName</value>
     <value>Student ID</value>
     <value>First Name</value>
     <value>Last Name</value>
     <value>email</value>
     <value>employeeID</value>
    </list>
   </property>
  </bean>
  <bean class="org.jasig.cas.services.RegisteredServiceImpl">
   <property name="id" value="1" />
   <property name="name" value="EAB" />
   <property name="description" value="Your HTTP Service" />
   <property name="serviceId" 
value="https://sscimpl.advisory.com/gsrc/SSO/njcu"; />
   <property name="allowedAttributes">
    <list>
     <value>userName</value>
     <value>Student ID</value>
     <value>First Name</value>
     <value>Last Name</value>
     <value>email</value>
     <value>employeeID</value>
    </list>
   </property>
  </bean>
  <bean class="org.jasig.cas.services.RegisteredServiceImpl">
   <property name="id" value="2" />
   <property name="name" value="CBORD" />
   <property name="description" value="GET FUNDS" />
   <property name="serviceId" value="https://get.cbord.com/njcu/full/login.php"; 
/>
   <property name="allowedAttributes">
    <list>
     <value>userName</value>
     <value>Student ID</value>
     <value>First Name</value>
     <value>Last Name</value>
     <value>email</value>
     <value>employeeID</value>
    </list>
   </property>
  </bean> -->
    </util:list>

    <bean id="auditTrailManager" 
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

    <bean id="healthCheckMonitor" 
class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" 
/>

    <util:list id="monitorsList">
      <bean class="org.jasig.cas.monitor.MemoryMonitor" 
p:freeMemoryWarnThreshold="10" />
      <!--
        NOTE
        The following ticket registries support SessionMonitor:
          * DefaultTicketRegistry
          * JpaTicketRegistry
        Remove this monitor if you use an unsupported registry.
      -->
      <bean class="org.jasig.cas.monitor.SessionMonitor"
          p:ticketRegistry-ref="ticketRegistry"
          p:serviceTicketCountWarnThreshold="5000"
          p:sessionCountWarnThreshold="100000" />
    </util:list>
 <!-- Cirwin - Add Attribute release bean
<context:component-scan base-package="org.jasig.cas" />
<context:annotation-config />
 -->
<bean id="ldapPersonAttributeDao"
   class="org.jasig.cas.persondir.LdapPersonAttributeDao"
   p:connectionFactory-ref="searchPooledLdapConnectionFactory"
   p:baseDN="${ldap.baseDn}"
   p:searchControls-ref="searchControls"
   p:searchFilter="samAccountName={0}">
   <property name="queryAttributeMapping">
  <map>
   <entry key="username" value="samAccountName" />
  </map>
   </property>
   <property name="resultAttributeMapping">
  <map>
   <entry key="samAccountName" value="userName" />
   <entry key="cn" value="Student ID" />
   <entry key="givenName" value="First Name" />
   <entry key="sn" value="Last Name" />
            <entry key="mail" value="email" />
            <entry key="displayName" value="displayName" />
   <entry key="employeeID" value="employeeID" />
  </map>
    </property>
</bean>
<bean id="searchControls" class="javax.naming.directory.SearchControls"
  p:searchScope="2"
  p:countLimit="10" />

<!-- INSERT CONNECTION CONFIGURATIONS HERE -->
<bean id="ldapAuthenticationHandler"
      class="org.jasig.cas.authentication.LdapAuthenticationHandler"
      p:principalIdAttribute="samAccountName"
      c:authenticator-ref="authenticator">
    <property name="principalAttributeMap">
        <map>
            <!--
               | This map provides a simple attribute resolution mechanism.
               | Keys are LDAP attribute names, values are CAS attribute names.
               | Use this facility instead of a PrincipalResolver if LDAP is
               | the only attribute source.
               -->
   <entry key="samAccountName" value="userName" />
   <entry key="cn" value="Student ID" />
   <entry key="givenName" value="First Name" />
   <entry key="sn" value="Last Name" />
            <entry key="mail" value="email" />
            <entry key="displayName" value="displayName" />
   <entry key="employeeID" value="employeeID" />
        </map>
    </property>
</bean>

<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
      c:resolver-ref="dnResolver"
      c:handler-ref="authHandler" />

<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
      p:baseDn="${ldap.baseDn}"
      p:subtreeSearch="true"
      p:allowMultipleDns="false"
      p:connectionFactory-ref="searchPooledLdapConnectionFactory"
      p:userFilter="${ldap.authn.searchFilter}" />

<bean id="searchPooledLdapConnectionFactory"
      class="org.ldaptive.pool.PooledConnectionFactory"
      p:connectionPool-ref="searchConnectionPool" />

<bean id="searchConnectionPool" parent="abstractConnectionPool"
      p:connectionFactory-ref="searchConnectionFactory" />

<bean id="searchConnectionFactory"
      class="org.ldaptive.DefaultConnectionFactory"
      p:connectionConfig-ref="searchConnectionConfig" />

<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
      p:connectionInitializer-ref="bindConnectionInitializer" />

<bean id="bindConnectionInitializer"
      class="org.ldaptive.BindConnectionInitializer"
      p:bindDn="cass...@root.njcu">
    <property name="bindCredential">
        <bean class="org.ldaptive.Credential"
              c:password="${ldap.authn.managerPassword}" />
    </property>
</bean>

<bean id="abstractConnectionPool" abstract="true"
      class="org.ldaptive.pool.BlockingConnectionPool"
      init-method="initialize"
      p:poolConfig-ref="ldapPoolConfig"
      p:blockWaitTime="${ldap.pool.blockWaitTime}"
      p:validator-ref="searchValidator"
      p:pruneStrategy-ref="pruneStrategy" />

<bean id="abstractConnectionConfig" abstract="true"
      class="org.ldaptive.ConnectionConfig"
      p:ldapUrl="${ldap.url}"
      p:connectTimeout="${ldap.connectTimeout}"
      p:useStartTLS="${ldap.useStartTLS}"
      p:sslConfig-ref="sslConfig" />

<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
      p:minPoolSize="${ldap.pool.minSize}"
      p:maxPoolSize="${ldap.pool.maxSize}"
      p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
      p:validatePeriodically="${ldap.pool.validatePeriodically}"
      p:validatePeriod="${ldap.pool.validatePeriod}" />

<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
    <property name="credentialConfig">
        <bean class="org.ldaptive.ssl.X509CredentialConfig"
              p:trustCertificates="${ldap.trustedCert}" />
    </property>
</bean>

<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="${ldap.pool.prunePeriod}"
      p:idleTime="${ldap.pool.idleTime}" />

<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
      p:connectionFactory-ref="bindPooledLdapConnectionFactory" />

<bean id="bindPooledLdapConnectionFactory"
      class="org.ldaptive.pool.PooledConnectionFactory"
      p:connectionPool-ref="bindConnectionPool" />

<bean id="bindConnectionPool" parent="abstractConnectionPool"
      p:connectionFactory-ref="bindConnectionFactory" />

<bean id="bindConnectionFactory"
      class="org.ldaptive.DefaultConnectionFactory"
      p:connectionConfig-ref="bindConnectionConfig" />

<bean id="bindConnectionConfig" parent="abstractConnectionConfig" />

</beans>



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Attribute resolved but not released?

Reply via email to