Not able to return user_roles from CAS Server to the Client.
220 views
Skip to first unread message
Suman
Jan 31, 2017, 12:28:44 PM1/31/17
to CAS Community
Hi All,
I am using CAS Overlay project version 5.0.0.RC1.
I am not able to send user attributes other than name from the CAS Server to the client.
I am storing the user details in Database and using CAS JDBC Authentication.
Please help.
dkopy...@unicon.net
Jan 31, 2017, 1:12:22 PM1/31/17
to cas-...@apereo.org
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3ca485c-e796-43d7-9037-ed9d3bcfb128%40apereo.org.
Martin Bohun
Feb 1, 2017, 5:31:54 AM2/1/17
to cas-...@apereo.org
I am not 100% sure if we are on the same page, but in cas-4.0.x I had to list the attributes like this:
Is that what you mean/want?
cheers,
martin
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Ben Howell-Thomas
Feb 1, 2017, 5:48:47 AM2/1/17
to cas-...@apereo.org
Just in case it's helpful - when I had that problem (via Spring security) it was because I was using version 2 of the cas protocol (based on whatever guide I was following). To get attributes it needed to be version 3.
On 31 January 2017 at 17:33, Martin Bohun <martin...@gmail.com> wrote:
I am not 100% sure if we are on the same page, but in cas-4.0.x I had to list the attributes like this:Is that what you mean/want?cheers,martin
On Wed, Feb 1, 2017 at 4:28 AM, Suman <suma...@cuddle.ai> wrote:
Hi All,I am using CAS Overlay project version 5.0.0.RC1.I am not able to send user attributes other than name from the CAS Server to the client.I am storing the user details in Database and using CAS JDBC Authentication.Please help.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3ca485c-e796-43d7-9037-ed9d3bcfb128%40apereo.org.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGVz94ixTXg7ifYxM%3DzoUdHkiA2ZT_Y%3DT%3DjYNCA75tj0L_HjrQ%40mail.gmail.com.
This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.
Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
Suman
Feb 1, 2017, 6:07:05 AM2/1/17
to CAS Community
I am using CAS Overlay version 5.0.0.RC1 on Server side and Spring security version 3.2.5 on the client side.
I am storing the user details in Database in Postgres in User table. Do i need to perform any configuration from cas-management UI . I can see Attribute Policy Options in cas-management UI. Not sure about the configuration.
Ben Howell-Thomas
Feb 3, 2017, 6:20:37 AM2/3/17
to cas-...@apereo.org
You don't need to use the cas-management UI to set it up.
You do need to set an attributeReleasePolicy in the services .json file.
(You also need to specify the attributes to be returned somewhere per previous responses).
It's the Spring side that I found most confusing. Below is an excerpt from applicationContext-security.xml where you specify to use CAS protocol version 3 rather than version 2 (which is the one set in the Spring Security demo app iirc) :
<b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey">
<b:property name="authenticationUserDetailsService" ref="userDetailsService" />
<b:property name="ticketValidator">
<!-- Using CAS 3 protocol so we can get attributes back -->
<b:bean class="org.jasig.cas.client.validation.Cas30ServiceTicketValidator"
p:uRLConnectionFactory-ref="casConnectionFactory">
<b:constructor-arg value="${some.host.name.path}" />
</b:bean>
</b:property>
</b:bean>
Ie Cas30ServiceTicketValidator means use protocol version 3 which can do attribute retrieval instead of Cas20ServiceTicketValidator which uses version 2 and doesn't get attributes back.
On 1 February 2017 at 11:07, Suman <suma...@cuddle.ai> wrote:
I am using CAS Overlay version 5.0.0.RC1 on Server side and Spring security version 3.2.5 on the client side.I am storing the user details in Database in Postgres in User table. Do i need to perform any configuration from cas-management UI . I can see Attribute Policy Options in cas-management UI. Not sure about the configuration.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad7463e2-2320-472b-a3a5-01f8a2097706%40apereo.org.
Suman
Feb 7, 2017, 1:50:49 AM2/7/17
to CAS Community
Please find the Spring security Client side code as below.
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService(serviceUrl);
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas30ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
@Bean
public Cas30ServiceTicketValidator cas30ServiceTicketValidator() {
return new Cas30ServiceTicketValidator(casServer);
}
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService(){
String[] role ={"role"};
return new GrantedAuthorityFromAssertionAttributesUserDetailsService(role);
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
casAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
return casAuthenticationFilter;
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl(casServerLogin);
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Bean
public LogoutFilter requestSingleLogoutFilter (){
LogoutFilter logoutFilter = new LogoutFilter(casLogout,new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl("/j_spring_cas_security_logout");
return logoutFilter;
}
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter filter = new SingleSignOutFilter();
filter.setCasServerUrlPrefix(casServer);
filter.setIgnoreInitConfiguration(true);
return filter;
}
On the CAS Server side i have added the below properties :-
cas.authn.attributeRepository.attributes.uid=username
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=commonName
cas.authn.attributeRepository.attributes.affiliation=groupMembership
cas.authn.attributeRepository.attributes.last_name=last_name
cas.authn.attributeRepository.attributes.first_name=first_name
cas.authn.attributeRepository.attributes.user_role=user_role
Suman
Feb 7, 2017, 4:29:33 AM2/7/17
to CAS Community
Hi All,
Finally i am able to fetch the User Attributes of the Logged in User from the CAS Server to the client.
Thanks all for the help.
The below mentioned changes i did as suggested by you guys.
1. Used Cas30ServiceTicketValidator instead of Cas20ServiceTicketValidator
2. Corrected the attribute name in AuthenticationUserDetailsService
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService(){
String[] role ={"user_role"};
return new GrantedAuthorityFromAssertionAttributesUserDetailsService(role);
}
"user_role" name was not matching the column name in the Users table in CAS server database.
3. Configured the Database attribute repository on the CAS Server side as i was storing the user details in Database.
cas.authn.attributeRepository.jdbc.singleRow=true
cas.authn.attributeRepository.jdbc.requireAllAttributes=true
cas.authn.attributeRepository.jdbc.caseCanonicalization=NONE
cas.authn.attributeRepository.jdbc.queryType=OR
cas.authn.attributeRepository.jdbc.sql=SELECT * FROM users WHERE {0}
cas.authn.attributeRepository.jdbc.username=username
#cas.authn.attributeRepository.jdbc.user_role=user_role
cas.authn.attributeRepository.jdbc.healthQuery=SELECT 1
cas.authn.attributeRepository.jdbc.isolateInternalQueries=false
cas.authn.attributeRepository.jdbc.url=jdbc:postgresql://localhost:5432/casdb
cas.authn.attributeRepository.jdbc.failFast=true
cas.authn.attributeRepository.jdbc.isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.attributeRepository.jdbc.dialect=org.hibernate.dialect.PostgreSQLDialect
cas.authn.attributeRepository.jdbc.leakThreshold=10
cas.authn.attributeRepository.jdbc.propagationBehaviorName=PROPAGATION_REQUIRED
cas.authn.attributeRepository.jdbc.batchSize=1
cas.authn.attributeRepository.jdbc.user=postgres
cas.authn.attributeRepository.jdbc.ddlAuto=update
cas.authn.attributeRepository.jdbc.password=postgres
cas.authn.attributeRepository.jdbc.autocommit=false
cas.authn.attributeRepository.jdbc.driverClass=org.postgresql.Driver
cas.authn.attributeRepository.jdbc.idleTimeout=5000
cas.authn.attributeRepository.jdbc.pool.suspension=false
cas.authn.attributeRepository.jdbc.pool.minSize=6
cas.authn.attributeRepository.jdbc.pool.maxSize=18
cas.authn.attributeRepository.jdbc.pool.maxIdleTime=1000
cas.authn.attributeRepository.jdbc.pool.maxWait=2000
After these changes i was able to fetch the user attributes from CAS Server.
Cheers!
Reply all
Reply to author
Forward
0 new messages