Principal Resolution: Regex

[Drew Northup]

We've made it a bit further along, thanks for the help thus far.

Time for the next question: What is the REGEX dialect of cas.person-directory.principal-transformation.pattern ?

I'm trying various flavors of

^([a-zA-Z0-9.]+)@maine\.edu

both with and without escaping, and they all are blowing up, causing immediate crash without even writing out an error message. We're using the YAML config format, so the REGEX is enclosed in double-quotes. We need to remove the scope from the principal's username after (Delegated) authentication, if and only if it matches our domain (all other attempts should fail to lookup attributes).

Does it require leading and trailing forward slashes ("/")?

Does it use some really odd REGEX dialect?

(And no, telling me it supports the Spring Expression Language is not useful information, unless of course this isn't actually something expecting a REGEX.)

Is there some better mechanism for this?

(No, filtering in the upstream delegated authenticator, and potentially introducing a security hole large enough to drive a bus through, is not a realistic "better" mechanism.)

[Ray Bon]

Drew,

We also use yaml config and that property; no quotes, no escaping [escape characters].

The regex would be java based, https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/util/regex/Pattern.html

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Drew Northup <drew.n...@maine.edu>
Sent: February 8, 2026 09:39
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Principal Resolution: Regex

 

You don't often get email from drew.n...@maine.edu. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4868036a-30b2-492a-8e71-6812eb29df10n%40apereo.org.

[Drew Northup]

Ok,

It isn't crashing now, but I can't seem to get the REGEX to do anything. Is there some other setting that must be set for the REGEX to actually have any effect on the Principal whatsoever? Right now it seems to me that it is just something to put there to check a box that doesn't actually do anything.

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/hztb4KfpKbc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081C554D20773AE6F72B438CE65A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.

--

---------------------------+--------------------------------
Drew Northup               | 
University of Maine System |          drew.n...@Maine.edu
Computing Center           |
Orono, ME 04469            |

[Ray Bon]

Drew,

I did some experimenting. If I change uvic.ca to uvic.com, it actually prevents successful authentication.

We only use local ldap; so I can not say what should happen after delegated authn.

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Drew Northup <drew.n...@maine.edu>

Sent: February 10, 2026 09:32
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Principal Resolution: Regex

 

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xo%2Bbt9NCxzg8Bp%2Bw39ORJV4tR5pBL%2B5_Y3d9hEG1g61mQg%40mail.gmail.com.