Rerequesting CAS attributes

83 views
Skip to first unread message

Pavel Antonov

unread,
Oct 18, 2018, 8:31:12 AM10/18/18
to CAS Community
Hi! I'm developing an API using the Spring Framework.
CAS server version 5.3.1, CAS protocol version 3 and CAS client included with Spring Security are used for user authentication.
Based on this example https://apereo.github.io/2018/02/20/cas-service-rbac-attributeresolution/ I use CAS attributes as user roles in my API.
It's necessary to rerequest CAS from my API to update the roles for already authenticated user.
Is it possible to do that without user browser redirects?

Ray Bon

unread,
Oct 18, 2018, 1:27:10 PM10/18/18
to cas-...@apereo.org
Pavel,

I suspect getting attributes for protocol 3 will be same as SAML 1.1.

AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
Map attributes = principal.getAttributes();

There should be no need to go back to CAS.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Павел Антонов

unread,
Oct 19, 2018, 4:00:32 AM10/19/18
to cas-...@apereo.org
Ray, I need to apply new attributes (changed in CAS) to already authenticated user.
How can i do this without logoff/logon currently authenticated user?
Does your recommendation solve my problem? I think "Map attributes = principal.getAttributes()" will return the outdated attributes obtained during authentication...


чт, 18 окт. 2018 г. в 20:27, Ray Bon <rb...@uvic.ca>:
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/Jsl0j06R_tw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1539883619.2864.46.camel%40uvic.ca.


--
Отправлено с ПЭВМ

Ray Bon

unread,
Oct 19, 2018, 12:47:50 PM10/19/18
to cas-...@apereo.org
Pavel,

I see. You are right that the attributes will be outdated.
I do not know if there is a way to refresh without login.
This sounds similar to a unix login session; if something like group membership is changed, user will need to log in again to see the change.

Ray

Dmitriy Kopylenko

unread,
Oct 31, 2018, 11:53:15 AM10/31/18
to cas-...@apereo.org
You might want to look into and configure attribute caching policy such that it will basically re-resolve them from attribute sources every time ST gets validated, hence you’ll get a fresh set of attributes every time CAS ST validation protocol dance happens:


Cheers,
D.
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMB%2Buw65kiS-yn-UPEEgynOLMrQ9dnV0_H5pT0J26nNKneHbgg%40mail.gmail.com.

Павел Антонов

unread,
Nov 14, 2018, 8:17:36 AM11/14/18
to cas-...@apereo.org
Thank you for your answers!
I found a more suitable solution. I use the Spring Redis session for my two web applications. Therefore, I have one common security context without SSO.

ср, 31 окт. 2018 г. в 18:53, Dmitriy Kopylenko <dkopy...@unicon.net>:
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5bd9cfe6.26625904.dcf%40unicon.net.


--
Отправлено с ПЭВМ
Reply all
Reply to author
Forward
0 new messages