CAS 6.2.1 attribute release not working with PersonDirectory
770 views
Skip to first unread message
P N
Nov 16, 2020, 4:20:31 PM11/16/20
to CAS Community
Hi,
I am in the process to migrate from CAS 5.3.15 to CAS 2.1 and in CAS 6 I am using the same configuration properties as in CAS 5 for the principal attribute release from an external JDBC repository using default Person Directory to all services by default:
cas.authn.attribute-repository.default-attributes-to-release=username,role,group,inherited_group,user_id,crm_user_id,organization_id,first_name,middle_name,last_name,email,work_phone,phone_extension,active,userstatus,accessMetadata
cas.authn.attribute-repository.jdbc[0].singleRow=false
cas.authn.attribute-repository.jdbc[0].sql= ...
cas.authn.attribute-repository.jdbc[0].username=user_name
cas.authn.attribute-repository.jdbc[0].columnMappings.attribute_name=attribute_value
cas.authn.attribute-repository.jdbc[0].attributes.user_name=username
cas.authn.attribute-repository.jdbc[0].attributes.role=role
cas.authn.attribute-repository.jdbc[0].attributes.group=group
cas.authn.attribute-repository.jdbc[0].attributes.inherited_group=inherited_group
cas.authn.attribute-repository.jdbc[0].attributes.user_id=user_id
cas.authn.attribute-repository.jdbc[0].attributes.crm_user_id=crm_user_id
cas.authn.attribute-repository.jdbc[0].attributes.organization_id=organization_id
cas.authn.attribute-repository.jdbc[0].attributes.first_name=first_name
cas.authn.attribute-repository.jdbc[0].attributes.middle_name=middle_name
cas.authn.attribute-repository.jdbc[0].attributes.last_name=last_name
cas.authn.attribute-repository.jdbc[0].attributes.email=email
cas.authn.attribute-repository.jdbc[0].attributes.work_phone=work_phone
cas.authn.attribute-repository.jdbc[0].attributes.phone_extension=phone_extension
cas.authn.attribute-repository.jdbc[0].attributes.active=active
cas.authn.attribute-repository.jdbc[0].attributes.userstatus=userstatus
cas.authn.attribute-repository.jdbc[0].attributes.accessMetadata=accessMetadata
cas.authn.attribute-repository.jdbc[0].id=AMS
cas.authn.attribute-repository.jdbc[0].failFastTimeout=1
cas.authn.attribute-repository.jdbc[0].healthQuery=select 1 from dual
cas.authn.attribute-repository.jdbc[0].isolateInternalQueries=false
cas.authn.attribute-repository.jdbc[0].leakThreshold=10
cas.authn.attribute-repository.jdbc[0].batchSize=1
cas.authn.attribute-repository.jdbc[0].defaultSchema=cihiweb
cas.authn.attribute-repository.jdbc[0].ddlAuto=none
cas.authn.attribute-repository.jdbc[0].autocommit=false
cas.authn.attribute-repository.jdbc[0].idleTimeout=5000
cas.authn.attribute-repository.jdbc[0].properties.propertyName=propertyValue
cas.authn.attribute-repository.jdbc[0].pool.suspension=false
cas.authn.attribute-repository.jdbc[0].pool.minSize=6
cas.authn.attribute-repository.jdbc[0].pool.maxSize=18
cas.authn.attribute-repository.jdbc[0].pool.maxWait=2000
cas.authn.attribute-repository.jdbc[0].pool.timeoutMillis=1000
cas.authn.attribute-repository.expirationTime=0
cas.authn.attribute-repository.merger=multivalued
cas.personDirectory.attributeResolutionEnabled=true
cas.personDirectory.activeAttributeRepositoryIds=AMS
However, none of the attributes are released in the service validation :
2020-11-16 16:15:41,642 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [pnitat] accessing service [AbstractWebApplicationService(id=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, originalUrl=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, artifactId=null, principal=pnitat, source=service, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [http*://.*]...>
2020-11-16 16:15:41,643 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes>
2020-11-16 16:15:41,644 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <Using [pnitat], no caching takes place for [DefaultPrincipalAttributesRepository] to add attributes.>
2020-11-16 16:15:41,644 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{}] for [pnitat]>
2020-11-16 16:15:41,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [pnitat]>
2020-11-16 16:15:41,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[inherited_group, role, userstatus, work_phone, last_name, active, middle_name, user_id, accessMetadata, organization_id, phone_extension, crm_user_id, first_name, email, username, group]]>
2020-11-16 16:15:41,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2020-11-16 16:15:41,647 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [pnitat] accessing service [AbstractWebApplicationService(id=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, originalUrl=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, artifactId=null, principal=pnitat, source=service, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [http*://.*]...>
2020-11-16 16:15:41,647 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>
Do I miss any configuration properties or has anything changed in version 6 from 5 regarding the default attributes release?
Thanks,
Paul
Ray Bon
Nov 16, 2020, 4:59:59 PM11/16/20
to cas-...@apereo.org
Paul,
You will have to check all your attribute names, they often change between versions.
cas.authn.attribute-repository.jdbc
is now
cas.authn.attributeRepository.jdbc
Ray
On Mon, 2020-11-16 at 13:20 -0800, P N wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
P N
Nov 16, 2020, 5:40:40 PM11/16/20
to CAS Community, Ray Bon
Hi Ray,
However, even changing the configuration as suggested to old notation from CAS 5 - cas.authn.attributeRepository.jdbc[0] ... , I am getting same results, i.e. no attributes released.
I am actually using the notation prescribed in CAS 6.2.x documentation - see https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#jdbc-1 :
# cas.authn.attribute-repository.jdbc[0].attributes.uid=uid
# cas.authn.attribute-repository.jdbc[0].attributes.display-name=displayName ...
However, even changing the configuration as suggested to old notation from CAS 5 - cas.authn.attributeRepository.jdbc[0] ... , I am getting same results, i.e. no attributes released.
Thanks,
Paul
Ray Bon
Nov 16, 2020, 6:26:49 PM11/16/20
to pvn...@gmail.com, cas-...@apereo.org
Paul,
Unfortunately the docs have not been updated.
The reference is here on line 186, https://github.com/apereo/cas/blob/6.2.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/authentication/AuthenticationProperties.java
Set your logging to debug. You should see something about an 'unbound attribute' or 'could not bind attribute' with the name of the attribute. I am sure there are more changes than just that one.
It was a long time since we upgraded and I did not remember that I must have search the code base for the attribute names.
Ray
P N
Nov 17, 2020, 10:04:08 AM11/17/20
to CAS Community, Ray Bon, P N
Hi Ray,
I changed the attribute names and still same result. As suggested I set logging to debug and configuration and didn't find any message about 'unbound attribute'.
I believe there is an issue related to the attribute release policies, based on the following log message:
2020-11-17 09:54:39,962 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [pnitat]>
even though there are default attributes for release:
2020-11-17 09:54:39,962 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[inherited_group, role, userstatus, work_phone, last_name, active, middle_name, user_id, accessMetadata, organization_id, phone_extension, crm_user_id, first_name, email, username, group]]>
Is there a different setting to change the attribute release policy so all attributes defined in the list are released?
Thanks,
Paul
Ray Bon
Nov 17, 2020, 10:40:09 AM11/17/20
to pvn...@gmail.com, cas-...@apereo.org
Paul,
There are per service settings that can be applied and a default bundle that can be set, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Policies.html
You can set some attributes to be searched on authentication and others can be extracted afterwards, https://apereo.github.io/cas/6.2.x/integration/Attribute-Resolution.html
You can also set hibernate to display what it is sending and receiving to be sure its queries are what you expect, https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#hibernate--jdbc.
If you are getting to the attribute release lines, your cas config names must be correct.
Ray
P N
Nov 18, 2020, 2:48:31 PM11/18/20
to CAS Community, Ray Bon, P N
Hi Ray,
I found a way to release attributes by adding the following to the JSON service definition:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"attributeRepositoryIds": ["java.util.HashSet", [ "AMS" ]]
}
}
and disabling the global attribute release:
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"attributeRepositoryIds": ["java.util.HashSet", [ "AMS" ]]
}
}
and disabling the global attribute release:
cas.personDirectory.attributeResolutionEnabled=false
However, I am still not clear why the default bundle is not working when is stated in the documentation that should be working for all services.
Thanks,
Paul
P N
Nov 20, 2020, 2:06:32 PM11/20/20
to CAS Community, P N, Ray Bon
I am adding the following from the cas.log file , maybe someone can help me understand what is missing in the default attribute release policy and why is Person Directory not triggered:
2020-11-18 16:59:43,750 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured multi-row JDBC attribute repository for [jdbc:oracle:thin:@//...]>
2020-11-18 16:59:43,757 DEBUG [com.zaxxer.hikari.HikariConfig] - <Driver class oracle.jdbc.OracleDriver found in Thread context class loader org.springframework.boot.loader.LaunchedURLClassLoader@1b604f19>
2020-11-18 16:59:43,760 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured multi-row JDBC column mappings for [jdbc:oracle:thin:@//...] are [{attribute_name=attribute_value}]>
2020-11-18 16:59:43,765 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured result attribute mapping for [jdbc:oracle:thin:@//...] to be [{inherited_group=inherited_group, role=role, userstatus=userstatus, user_name=username, work_phone=work_phone, last_name=last_name, active=active, middle_name=middle_name, user_id=user_id, accessMetadata=accessMetadata, organization_id=organization_id, phone_extension=phone_extension, first_name=first_name, crm_user_id=crm_user_id, email=email, group=group}]>
2020-11-18 16:59:43,775 TRACE [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Final list of attribute repositories is [[org.apereo.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao@53e7cc08]]>
2020-11-18 16:59:43,781 TRACE [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute repository sources are defined and available for person-directory principal resolution chain. >
....
2020-11-18 16:59:43,971 WARN [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute repository caching is disabled>
2020-11-18 16:59:43,975 TRACE [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured merging strategy for attribute sources is [multivalued]>
2020-11-18 16:59:43,979 DEBUG [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured attribute repository sources to merge together: [[AMS]]>
2020-11-18 17:02:12,382 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Attribute policy [ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[])] is associated with service [AbstractRegisteredService(serviceId=http*://.*, name=HTTP, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=0, description=HTTP, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=0, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], criteria=null), properties={}, contacts=[])]>
2020-11-18 17:02:12,383 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [pnitat] accessing service [AbstractWebApplicationService(id=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, originalUrl=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, artifactId=null, principal=pnitat, source=service, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [http*://.*]...>
2020-11-18 17:02:12,383 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [pnitat]>
2020-11-18 17:02:12,383 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Loading global principal attribute repository with caching policies...>
2020-11-18 17:02:12,383 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes>
2020-11-18 17:02:12,384 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <Using [pnitat], no caching takes place for [DefaultPrincipalAttributesRepository] to add attributes.>
2020-11-18 17:02:12,385 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{}] for [pnitat]>
2020-11-18 17:02:12,385 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving attribute definition store and attribute definitions...>
2020-11-18 17:02:12,386 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <No attribute definitions are defined in the attribute definition store>
2020-11-18 17:02:12,386 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Resolved principal attributes [{}] for [pnitat] from attribute definition store>
2020-11-18 17:02:12,387 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process attributes for [pnitat]>
2020-11-18 17:02:12,388 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [pnitat]>
2020-11-18 17:02:12,388 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2020-11-18 17:02:12,388 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2020-11-18 17:02:12,388 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2020-11-18 17:02:12,389 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[inherited_group, role, userstatus, work_phone, last_name, active, middle_name, user_id, accessMetadata, organization_id, phone_extension, crm_user_id, first_name, email, username, group]]>
2020-11-18 17:02:12,389 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2020-11-18 17:02:12,390 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2020-11-18 17:02:12,390 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [pnitat] accessing service [AbstractWebApplicationService(id=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, originalUrl=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check, artifactId=null, principal=pnitat, source=service, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [http*://.*]...>
2020-11-18 17:02:12,390 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>
2020-11-18 17:02:12,390 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Calculated attributes for release per the release policy are [[]]>
Thanks,
Paul
Andy Ng
Dec 4, 2020, 3:45:48 AM12/4/20
to CAS Community, pvn...@gmail.com, Ray Bon
Hi all,
I found that starting from CAS 6.2.x by default attributes from JDBC / LDAP / other PersonDirecotry are not by default released.
See this line here: https://github.com/apereo/cas/blob/v6.2.6/core/cas-server-core-authentication-attributes/src/main/java/org/apereo/cas/authentication/principal/DefaultPrincipalAttributesRepository.java#L33
For those attribute to release, seems like we need to explictly set the `attributeRepositoryIds ` , which is a bit troubling but oh well.
A wild card works fine, so this:
See this line here: https://github.com/apereo/cas/blob/v6.2.6/core/cas-server-core-authentication-attributes/src/main/java/org/apereo/cas/authentication/principal/DefaultPrincipalAttributesRepository.java#L33
The `areAttributeRepositoryIdsDefined` is just checking if attributeRepositoryIds is empty.
For those attribute to release, seems like we need to explictly set the `attributeRepositoryIds ` , which is a bit troubling but oh well.
A wild card works fine, so this:
=================================================
"attributeReleasePolicy": {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"attributeRepositoryIds": ["java.util.HashSet", [ "*" ]]
},
},
=================================================With the above, and keeping all the CAS 5.3.x settings, is good enough to output those attributes in my case.
Cheers!
- Andy
Reply all
Reply to author
Forward
0 new messages