After trying to use (I am able to login and authenticate ):
http://shiro.apache.org/cas.html
with
casRealm.validationProtocol = SAML
enabled I was able to login to the app. However I did not have permissions
or role options.
What does this mean? I could not use:
...
if ( currentUser.hasRole( "schwartz" ) ) {
...
Just to see what Shiro was using I dumped the principal attributes by using:
...
public void verify(){
try{
Subject subject = SecurityUtils.getSubject();
if ( subject.isAuthenticated() ){
List perms = subject.getPrincipals().asList();
for ( Object perm : perms ){
logger.debug(perm.toString());
}
logger.info("Authenticated user: {}",
subject.getPrincipal().toString());
...
and got
...
Info: DEBUG [http-listener-1(1)] (StartShiro.java:35) -
{samlAuthenticationStatementAuthMethod=urn:oasis:names:tc:SAML:1.0:am:password,
authenticationMethod=LdapAuthenticationHandler, displayName=Test User,
roles=[cn=user administrator,cn=roles,cn=accounts,dc=mydomain,dc=com,
cn=change a user password,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=user
administrators,cn=privileges,cn=pbac,dc=mydomain,dc=com, cn=modify
groups,cn=permissions,cn=pbac,dc=mydomain,dc=com,
cn=developers,cn=groups,cn=accounts,dc=mydomain,dc=com, ...,
cn=cas_admin,cn=roles,cn=accounts,dc=mydomain,dc=com, ..., cn=modify
users,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=add
groups,cn=permissions,cn=pbac,dc=mydomain,dc=com, cn=remove
groups,cn=permissions,cn=pbac,dc=mydomain,dc=com],
successfulAuthenticationHandlers=LdapAuthenticationHandler,
[email protected]}
INFO [http-listener-1(1)] (StartShiro.java:38) - Authenticated user:
testuser
...
So I switched to using pac4j-cas
https://github.com/bujiio/buji-pac4j
...
try{
Subject subject = SecurityUtils.getSubject();
if ( subject.isAuthenticated() ){
CommonProfile commonProfile = (CommonProfile)
subject.getPrincipals().asList().get(1);
for ( String role : commonProfile.getRoles() ){
logger.debug(role);
}
// works!
logger.info("Main principal: ", commonProfile.getDisplayName());
// email works!
logger.info("Authenticated user email: {}",
commonProfile.getEmail());
...
Info: INFO [http-listener-1(1)] (StartShiro.java:38) - Main principal:
Info: INFO [http-listener-1(1)] (StartShiro.java:40) - Authenticated user
email: [email protected]
I obviously need roles and permissions. I can feel that I am pretty close
but not close enough.
I configured the CAS server and control the properties returned by the SAML
service on the CAS server with:
...
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid" c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<entry key="displayName" value="displayName" />
<entry key="mail" value="email" />
<entry key="memberOf" value="roles" />
</map>
</property>
</bean>
...
Still, at this point I feel there is a mapping problem between the SAML
document and the Shiro client. Not sure where to proceed from here.
Here are the particulars:
CAS server: 4.2.1
Shiro core: 1.2.4
Shiro web: 1.2.4
pac4j-core: 1.8.8
pac4j-cas: 1.8.8
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/SAML-1-x-almost-there-tp7581043.html
Sent from the Shiro User mailing list archive at Nabble.com.
