Attribute repositories never update unless defined in every service

127 views
Skip to first unread message

Felix Scheinost

unread,
Jun 25, 2024, 11:33:37 PM6/25/24
to CAS Community
Hi all,

we just stumbled across some behaviour that we didn't expect in CAS 6.6.x.

We activated a `attribute-repository` using `cas.authn.attribute-repository.[...]`.
We activated it globally using `cas.person-directory.active-attribute-repository-ids`
The attribute repository itself works as expected, when first logging in.

The problem arises when for an existing SSO session a new ticket is created. We expected that `cas.authn.attribute-repository.core.expiration-time` would be respected.

Meaning that when:
  • logging in => attribute repository is called
  • waiting `expiration-time`
  • deleting the session in the service, SSO session is still active (due to e.g. remember me)
  • trying to reauthenticate in the service
Expected behaviour
  • CAS still has the old values of the attributes, should expire them and update them
Actual behaviour
  • The attribute repositories are NOT called. Old values (from DB attached to ticket?) used.
Workaround:
  • Setting `attributeReleasePolicy.principalAttributesRepository.attributeRepositoryIds`, caching and mergingStrategy in every service.
Would you consider this a bug or is there some kind of misunderstanding on our side?

We looked into the code a little bit and think that while the login code does use the globally defined `attributeRepositoryIds`, `AbstractRegisteredServiceAttributeReleasePolicy#getAttributes` doesn't.

When not configured in the service, `AbstractRegisteredServiceAttributeReleasePolicy` uses an empty `DefaultPrincipalAttributesRepository` with no `attributeRepositoryIds` configured.

I think `AbstractRegisteredServiceAttributeReleasePolicy` could maybe check if `principalAttributesRepository` is customized in the YAML/JPA/... service and if not use the global defaults.

Regards
Felix

Miguel Martínez De Espronceda Cámara

unread,
Apr 8, 2025, 5:37:31 AMApr 8
to cas-...@apereo.org
Hi Felix,
Is this still not fixed in CAS-7.x versions?
Best regards


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb1b7191-a06a-44d6-a390-06338988dfc1n%40apereo.org.


--
Universidad de NavarraMiguel Martínez de Espronceda Cámara
Project Manager
Universidad de Navarra
IT Services
Tel: +34 948 425 600 x803156
mmmca...@unav.es

Este mensaje puede contener información confidencial. Si usted no es el destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas y comuníquelo a la mayor brevedad al remitente. Los datos personales incluidos en los correos electrónicos que intercambie con el personal de la Universidad de Navarra podrán ser almacenados en la libreta de direcciones de su interlocutor y/o en los servidores de la Universidad durante el tiempo fijado en su política interna de conservación de información. La Universidad de Navarra gestiona dichos datos con fines meramente operativos, para permitir el contacto por email entre sus trabajadores/colaboradores y terceros. Puede consultar la Política de Privacidad de la Universidad de Navarra en la dirección: https://www.unav.edu/aviso-legal

 

This email message may contain confidential information. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments.  The personal information included in email messages exchanged with employees of the University of Navarra may be stored in the database of your interlocutor and/or the servers of the University for the time-period stipulated by its internal information storage policy. The University stores such data for purely administrative purposes, to facilitate e-mail contact between its employees and third parties. The University of Navarra Privacy Policy may be accessed at https://www.unav.edu/aviso-legal      

 

Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario. Proteger el medio ambiente está en nuestras manos.
Before printing this e-mail or attachments, be sure it is necessary. It is in our hands to protect the environment.

Petr Bodnár

unread,
Nov 16, 2025, 12:03:03 PMNov 16
to CAS Community, Miguel Martínez De Espronceda Cámara
Hi there,

AFAIK, what you describe as a potential bug, is a behavior given by design: when CAS authenticates a user, it stores all the attributes from the time of login, including those from cas.person-directory.active-attribute-repository-ids, to the SSO session, namely to "principal.attributes" - these attributes are basically immutable.

When CAS redirects the user to a concrete service, it fetches attributes from the attribute repository defined for that service, if any - it is here, where the attributes caching can apply. Fetched attributes are merged with the aforementioned principal attributes before being returned to the service (and cached). Beware that the default mergingStrategy in the CAS *PrincipalAttributesRepository classes is MULTIVALUED - you might want to change it to REPLACE.

Not sure if this is in-line with what the CAS documentation says. I remember not quite understanding these attributes fetching mechanisms when firstly getting started with CAS...

Best regards
Petr
Reply all
Reply to author
Forward
0 new messages