JDBC attribute repository not working since 6.3.0-R3

[Andrea Del Bene]

Hi everyone,

I'm working on my Apereo CAS installation to upgrade it from 6.0.x to the last 6.6.x. My installation has a number of services which must be accessed on a role-based policy basis and the are configured like this:

"accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "requiredAttributes" : {
      "@class" : "java.util.HashMap",
      "user_type" : [ "java.util.HashSet", [ "o", "a", "u", "c" ] ]
    }
  },
  "properties" : {
    "@class" : "java.util.HashMap",
    "jwtAsServiceTicket" : {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "true" ] ]
    }
  }

Attributes are read from db and my CAS properties file contains the following configuration to access db:

cas.authn.attributeRepository.expirationTime=5
cas.authn.attributeRepository.expirationTimeUnit=SECONDS
cas.authn.attributeRepository.maximumCacheSize=1000
cas.authn.attributeRepository.merger=REPLACE

cas.authn.attributeRepository.jdbc[0].singleRow=true
cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM dnshst.users WHERE {0}
cas.authn.attributeRepository.jdbc[0].username=user
cas.authn.attributeRepository.jdbc[0].url=${CORE_DB_URL}
cas.authn.attributeRepository.jdbc[0].user=${CORE_DB_USER}
cas.authn.attributeRepository.jdbc[0].password=${CORE_DB_PASSWORD}
cas.authn.attributeRepository.jdbc[0].driverClass=org.mariadb.jdbc.Driver
cas.authn.attributeRepository.jdbc[0].autocommit=true


cas.authn.attributeRepository.jdbc[0].attributes.name=name
cas.authn.attributeRepository.jdbc[0].attributes.surname=surname
cas.authn.attributeRepository.jdbc[0].attributes.iduser=iduser
cas.authn.attributeRepository.jdbc[0].attributes.user_type=user_type
cas.authn.attributeRepository.jdbc[0].attributes.enabled=enabled
cas.authn.attributeRepository.jdbc[0].attributes.ishack=ishack
cas.authn.attributeRepository.jdbc[0].attributes.email_user=email_user
cas.authn.attributeRepository.jdbc[0].attributes.mfa_enabled=mfa_enabled


cas.authn.attributeRepository.defaultAttributesToRelease=name, surname, iduser, user_type, enabled, ishack, email_user, mfa_enabled, surrogateEnabled, surrogatePrincipal, surrogateUser

During my migration process I was able to reach version 6.2.x without any problem, but using 6.3.0 CAS it stopped loading attributes from db. Checking logs I noted that during authentication now I completely miss any log from QueryDatabaseAuthenticationHandler. Doing further investigations I tried to run my CAS installation starting with 6.3.0-RC1. Everything worked fine until I tried 6.3.0-RC3 which led to the problem described above.

Is any of you aware of any change between 6.3.0-RC2 and 6.3.0-RC3 that could have caused this behavior?

Thank you in advance.

Andrea Del Bene.

PS: these are my application dependencies

    implementation "org.apereo.cas:cas-server-core-api-configuration-model"
    implementation "org.apereo.cas:cas-server-webapp-init"

    implementation "org.apereo.cas:cas-server-webapp${project.appServer}"  
    implementation "org.apereo.cas:cas-server-core-tickets-api"
    implementation "org.apereo.cas:cas-server-support-jdbc-authentication"
    implementation "org.apereo.cas:cas-server-support-token-tickets"
    implementation "org.apereo.cas:cas-server-support-jpa-ticket-registry"
    implementation "org.apereo.cas:cas-server-support-pm-jdbc"
    implementation "org.apereo.cas:cas-server-support-jpa-service-registry"
    implementation "org.apereo.cas:cas-server-support-rest"
    implementation "org.apereo.cas:cas-server-support-rest-tokens"
    implementation "org.apereo.cas:cas-server-support-throttle-bucket4j"
    implementation "org.apereo.cas:cas-server-core-util"
    implementation "org.apereo.cas:cas-server-core-util-api"
    implementation "org.apereo.cas:cas-server-core-web"
    implementation "org.apereo.cas:cas-server-core-web-api"
    //implementation "org.apereo.cas:cas-server-support-captcha"
    implementation "org.apereo.cas:cas-server-core-webflow"
    implementation "org.apereo.cas:cas-server-core-webflow-api"
    implementation "org.apereo.cas:cas-server-support-pac4j-webflow"
    compileOnly "org.projectlombok:lombok:$lombokVersion"
    annotationProcessor "org.projectlombok:lombok:$lombokVersion"
    implementation group: 'org.bitbucket.b_c', name: 'jose4j', version: '0.6.5'
    implementation "org.apereo.cas:cas-server-support-surrogate-webflow"
    implementation "org.apereo.cas:cas-server-support-surrogate-authentication-jdbc"
    //implementation "org.apereo.cas:cas-server-support-x509-webflow"
    implementation "org.apereo.cas:cas-server-core-authentication-api"
    implementation "org.apereo.cas:cas-server-support-surrogate-authentication"
    implementation "org.apereo.cas:cas-server-support-surrogate-api"
    implementation "org.apereo.cas:cas-server-core-services-api"
    implementation "org.apereo.cas:cas-server-support-gauth-jpa"
    implementation "org.apereo.cas:cas-server-support-otp-mfa-core"
    //implementation "org.apereo.cas:cas-server-support-simple-mfa"
    implementation "org.apereo.cas:cas-server-support-gauth"

[Ray Bon]

Andrea,

It is possible that property names have changed across versions.

To get a file with all cas properties:

./gradlew exportConfigMetadata

Then search that file for your property. eg:

You have:

cas.authn.attributeRepository.defaultAttributesToRelease

In version 6.5 it is:

cas.authn.attribute-repository.core.default-attributes-to-release

(camelCase and kebab-case work the same.)

To see what gradlew can do:

./gradlew tasks

Also, you can jump to your target version; no reason to crawl through intermediate versions.

Ray

On Fri, 2023-06-09 at 17:45 +0200, Andrea Del Bene wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.