Return allowed attributes?
145 views
Skip to first unread message
Baron Fujimoto
Oct 7, 2021, 4:55:53 PM10/7/21
to CAS Community
We have CAS 6.3.5 configured to return a default set of attributes defined with the property "cas.authn.attribute-repository.default-attributes-to-release". This works as desired.
We wanted to release only a subset of these attributes to a particular registered service. The CAS docs suggest this may be possible by using an attributeReleasePolicy in the service definition that specifies "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy"
So I added the following to an existing working service definition:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "sn", "mail" ] ]
}
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "sn", "mail" ] ]
}
But CAS still seems to release the full set of default attributes for the service, and not just "cn", "sn", "mail" as defined above.
Am I misinterpreting what ReturnAllowedAttributeReleasePolicy should do here? If not, any ideas what may be amiss?
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
Pablo Vidaurri
Oct 12, 2021, 6:58:54 PM10/12/21
to CAS Community, baron
From description of default attributes, the purpose of default-attributes-to-release is to always release the attributes defined here regardless of what you have or dont have in attributeReleasePolicy at the service level.
King, Robert
Oct 13, 2021, 8:35:22 AM10/13/21
to cas-...@apereo.org, baron
Would
excludeDefaultAttributes: false
be what you are looking for?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec95a065-11df-4941-9cec-26ae5d907cb8n%40apereo.org.
Baron Fujimoto
Nov 4, 2021, 8:10:32 PM11/4/21
to cas-...@apereo.org
Just to close the loop on this and for the benefit of anyone (possibly even myself :P ) searching for this in the future, the missing magic bit was indeed "excludeDefaultAttributes" (set to "true").
The following excerpt is an example that releases only the cn and sn as a subset of the usual default set of released attributes.
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"excludeDefaultAttributes" : true,
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"excludeDefaultAttributes" : true,
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "sn" ] ],
}
Reply all
Reply to author
Forward
0 new messages