Last active
December 25, 2015 03:18
-
-
Save kevinfoote/6908427 to your computer and use it in GitHub Desktop.
using persondir to map header attributes into CAS's attributeRepository
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| PULL and Map HeadarAttributes for use | |
| --> | |
| <bean id="currentUserProvider" | |
| class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler"/> | |
| <bean id="usernameAttributeProvider" class="org.jasig.services.persondir.support.SimpleUsernameAttributeProvider"> | |
| <property name="usernameAttribute" value="username" /> | |
| </bean> | |
| <bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter"> | |
| <property name="usernameAttribute" value="userName" /> | |
| <property name="additionalDescriptors" ref="requestAdditionalDescriptors" /> | |
| <property name="remoteUserAttribute" value="userName" /> | |
| <property name="serverNameAttribute" value="serverName" /> | |
| <property name="processingPosition" value="BOTH" /> | |
| <property name="headerAttributeMapping"> | |
| <map> | |
| <entry key="eppa" value="eduPersonPrimaryAffiliation" /> | |
| <entry key="uid" value="uid" /> | |
| <entry key="eppn" value="eduPersonPrincipalName" /> | |
| </map> | |
| </property> | |
| </bean> | |
| <bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors"> | |
| <property name="delegateDescriptors"> | |
| <list> | |
| <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="globalSession"> | |
| <aop:scoped-proxy /> | |
| </bean> | |
| <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="request"> | |
| <aop:scoped-proxy /> | |
| </bean> | |
| </list> | |
| </property> | |
| </bean> | |
| <bean id="requestAttributesDao" class="org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao"> | |
| <property name="descriptors" ref="requestAdditionalDescriptors" /> | |
| <property name="usernameAttributeProvider" ref="usernameAttributeProvider" /> | |
| </bean> | |
| <!-- | |
| END building attributes | |
| --> | |
| <!-- | |
| The attribute list is sort of dynamic now due to the fact that you are | |
| creating the backingMap through the filter step above. It is assumed | |
| you know the data that is going through the filter and if you want it or | |
| not. | |
| --> | |
| <bean id="attributeRepository" | |
| class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl"> | |
| <property name="usernameAttributeProvider" ref="usernameAttributeProvider" /> | |
| <property name="personAttributeDaos"> | |
| <list> | |
| <ref bean="requestAttributesDao" /> | |
| <!--ref bean="mergedPersonAttributeDao" /--> | |
| </list> | |
| </property> | |
| </bean> |
OK .. so the above XML is a snippet from my deployerConfigContext.xml file..
If I recall its line 11 above that makes the AttributeDao pull in the request headers.
If you need further help let me know what CAS version your using.
Hello,
Thank you very much for your help.
We are trying to configure CAS version 3.4.12. According to yours guidelines we have modified :
-pom.xml :
[...]
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-trusted</artifactId>
<version>${cas.version}</version>
</dependency>
[...]
<modules>
<module>cas-server-core</module>
<module>cas-server-webapp</module>
<module>cas-server-support-generic</module>
<!--
<module>cas-server-support-jdbc</module>
<module>cas-server-support-ldap</module>
<module>cas-server-support-legacy</module>
<module>cas-server-support-openid</module>
<module>cas-server-support-radius</module>
<module>cas-server-support-spnego</module>
-->
<module>cas-server-support-trusted</module>
<!--
<module>cas-server-support-x509</module>
<module>cas-server-integration-jboss</module>
<module>cas-server-integration-berkeleydb</module>
<module>cas-server-integration-memcached</module>
<module>cas-server-integration-restlet</module>
<module>cas-server-uber-webapp</module>
<module>cas-server-documentation</module>
-->
</modules>
[...]-cas-server-webapp/pom.xml :
[...]
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-trusted</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
<version>2.2.2</version>
</dependency>
[...]-cas-server-webapp/src/main/webapp/WEB-INF/login-webflow.xml :
[...]
<action-state id="generateLoginTicket">
<evaluate expression="generateLoginTicketAction.generate(flowRequestContext)" />
<transition on="generated" to="remoteAuthenticate" />
</action-state>
[...]
<action-state id="remoteAuthenticate">
<evaluate expression="principalFromRemoteAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
<view-state id="viewLoginForm" view="casLoginView" model="credentials">
<binder>
<binding property="username" />
<binding property="password" />
</binder>
<on-entry>
<set name="viewScope.commandName" value="'credentials'" />
</on-entry>
<transition on="submit" bind="true" validate="true" to="realSubmit">
<evaluate expression="authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials)" />
</transition>
</view-state>
[...]-cas-server-webapp/src/main/webapp/WEB-INF/cas-servlet.xml :
[...]
<bean id="principalFromRemoteAction" class="org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction"
p:centralAuthenticationService-ref="centralAuthenticationService" />
[...]-cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml (whole file) :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:aop="http://www.springframework.org/schema/aop"
>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<!--
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" >
</bean>
-->
<bean
class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver" >
<property name="attributeRepository" ref="attributeRepository" />
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler" />
<!--
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
-->
</list>
</property>
</bean>
<!--
PULL and Map HeadarAttributes for use
-->
<bean id="currentUserProvider"
class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler"/>
<bean id="usernameAttributeProvider" class="org.jasig.services.persondir.support.SimpleUsernameAttributeProvider">
<property name="usernameAttribute" value="username" />
</bean>
<bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter">
<property name="usernameAttribute" value="userName" />
<property name="additionalDescriptors" ref="requestAdditionalDescriptors" />
<property name="remoteUserAttribute" value="userName" />
<property name="serverNameAttribute" value="serverName" />
<property name="processingPosition" value="BOTH" />
<property name="headerAttributeMapping">
<map>
<entry key="uid" value="uid" />
<entry key="ENTPersonProfilsNationaux" value="ENTPersonProfilsNationaux" />
</map>
</property>
</bean>
<bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors" >
<property name="delegateDescriptors">
<list>
<bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="globalSession">
<aop:scoped-proxy />
</bean>
<bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="request">
<aop:scoped-proxy />
</bean>
</list>
</property>
</bean>
<bean id="requestAttributesDao" class="org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao">
<property name="descriptors" ref="requestAdditionalDescriptors" />
<property name="usernameAttributeProvider" ref="usernameAttributeProvider" />
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl">
<property name="usernameAttributeProvider" ref="usernameAttributeProvider" />
<property name="personAttributeDaos">
<list>
<ref bean="requestAttributesDao" />
</list>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="admin" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="CAS SP test" />
<property name="description" value="Test CAS SP SHIB" />
<property name="serviceId" value="https://vm-iozone3.in.ac-bordeaux.fr/app3/testcas2.php" />
<property name="evaluationOrder" value="1" />
<property name="allowedAttributes" value="uid,sn,givenname,ENTPersonLogin" />
</bean>
</list>
</property>
</bean>
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
</beans>--------------------------->8----------------------------------------------->8-------------------------------------------->8---------------------------
Our Shibboleth SP session seems OK (https://vm-iozone3.in.ac-bordeaux.fr/Shibboleth.sso/Session) :
Miscellaneous
Session Expiration (barring inactivity): 467 minute(s)
Client Address: 172.30.54.159
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://vm-iozone3-vip1.in.ac-bordeaux.fr/idp/shibboleth
Authentication Time: 2013-10-31T14:46:41.304Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Attributes
ENTPersonProfilsNationaux: National_3
uid: BQQ00070
userName: BQQ00070
--------------------------->8----------------------------------------------->8-------------------------------------------->8---------------------------
We have maybe misconfigured something important, like you can see in our CAS.log :
2013-10-31 16:01:52,260 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://vm-iozone3.in.ac-bordeaux.fr/app3/testcas2.php>
2013-10-31 16:01:52,272 DEBUG [org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction] - <Remote User [BQQ00070] found in HttpServletRequest>
2013-10-31 16:01:52,274 DEBUG [org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler] - <Trusting credentials for: [name: BQQ00070]>
start[1383231712273] time[0] tag[PrincipalBearingCredentialsAuthenticationHandler]
2013-10-31 16:01:52,274 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [name: BQQ00070]>
2013-10-31 16:01:52,274 DEBUG [org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver] - <Attempting to resolve a principal...>
2013-10-31 16:01:52,274 DEBUG [org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [BQQ00070]>
2013-10-31 16:01:52,275 DEBUG [org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl] - <Created seed map='{username=[BQQ00070]}' for uid='BQQ00070'>
2013-10-31 16:01:52,275 DEBUG [org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao] - <invoking getPeopleWithMultivaluedAttributes({username=[BQQ00070]})>
2013-10-31 16:01:52,276 WARN [org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao] - <AdditionalDescriptors has a null name and a null name was returned by the currentUserProvider, returning null. org.jasig.services.persondir.support.MediatingAdditionalDescriptors@73b044df>
2013-10-31 16:01:52,277 DEBUG [org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl] - <Retrieved attributes='null' for query='{username=[BQQ00070]}', isFirstQuery=false, currentlyConsidering='org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao@2ec8f0a4', resultAttributes='null'>
2013-10-31 16:01:52,277 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal BQQ00070>
2013-10-31 16:01:52,277 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Principal found: BQQ00070>
2013-10-31 16:01:52,277 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for BQQ00070: {}>
2013-10-31 16:01:52,278 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [name: BQQ00070]
WHAT: supplied credentials: [name: BQQ00070]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Oct 31 16:01:52 CET 2013
CLIENT IP ADDRESS: 172.30.54.159
SERVER IP ADDRESS: vm-iozone3.in.ac-bordeaux.fr
=============================================================
>
2013-10-31 16:01:52,279 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr] to registry.>
2013-10-31 16:01:52,279 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [name: BQQ00070]
WHAT: TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 16:01:52 CET 2013
CLIENT IP ADDRESS: 172.30.54.159
SERVER IP ADDRESS: vm-iozone3.in.ac-bordeaux.fr
=============================================================
>
2013-10-31 16:01:52,280 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr]>
2013-10-31 16:01:52,281 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr]>
2013-10-31 16:01:52,281 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr] found in registry.>
2013-10-31 16:01:52,282 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr] to registry.>
2013-10-31 16:01:52,282 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr] for service [https://vm-iozone3.in.ac-bordeaux.fr/app3/testcas2.php] for user [BQQ00070]>
2013-10-31 16:01:52,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr]>
2013-10-31 16:01:52,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-2-JPFt7IapfcB4j1wvpmUHeqBTdMO1pfPafhEpfHFfxDKMTLPbuv-iozone3.in.ac-bordeaux.fr] found in registry.>
2013-10-31 16:01:52,283 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: BQQ00070
WHAT: ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr for https://vm-iozone3.in.ac-bordeaux.fr/app3/testcas2.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 16:01:52 CET 2013
CLIENT IP ADDRESS: 172.30.54.159
SERVER IP ADDRESS: vm-iozone3.in.ac-bordeaux.fr
=============================================================
>
2013-10-31 16:01:52,325 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://vm-iozone3.in.ac-bordeaux.fr/app3/testcas2.php>
2013-10-31 16:01:52,325 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr]>
2013-10-31 16:01:52,326 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr] found in registry.>
2013-10-31 16:01:52,326 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr] from registry>
2013-10-31 16:01:52,327 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr]>
2013-10-31 16:01:52,327 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Thu Oct 31 16:01:52 CET 2013
CLIENT IP ADDRESS: 172.30.49.82
SERVER IP ADDRESS: vm-iozone3.in.ac-bordeaux.fr
=============================================================
>
2013-10-31 16:01:52,328 DEBUG [org.jasig.cas.web.ServiceValidateController] - <Successfully validated service ticket: ST-2-Kq6I1MkDBvDCnWf1s6Ji-iozone3.in.ac-bordeaux.fr>
--------------------------->8----------------------------------------------->8-------------------------------------------->8---------------------------
"AdditionalDescriptors has a null name and a null name was returned by the currentUserProvider" and (consequently ?) Attribute map for BQQ00070 is empty.
Thank you for any tip, reading, or advise that you could give us.
Best regards,
G. Bady
OK. Looks like all should be working (and probably is).
One last bit that is probably (I'll have to update howto/gist) missing. By default attributes and the attribute map are built and released by CAS on a per service (client that connects to CAS) basis. This can be defined or setup in the /cas/services are of the GUI or within the deployerConfigContext.xml file.
For me, where I run CAS, I treat this more like a utility so I have hardcoded the serviceRegistryDao in the deployer file specific to my environment and force it to build and release all attributes to all clients.
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
<property name="serviceId" value="^(https?)://.*" />
<property name="evaluationOrder" value="10000001" />
<property name="allowedAttributes">
<list>
<value>uid</value>
<value>userName</value>
<value>UniID</value>
<value>eduPersonPrincipalName</value>
<value>serverName</value>
</list>
</property>
</bean>So my suggestion is to make sure you are releasing your attributes to either ALL your CAS clients or the specific clients you want attributes for using the GUI or the deployer.
Let me know how it goes.. It does look like you are doing the rest correctly though.
Hello,
We have configured an other cas-server version 3.5.2.
We first have checked that we are releasing attributes with a ldapattributeRepository (so this time our InMemoryServiceRegistryDaoImpl is valid).
We still can't add attributes from headers with the error "AdditionalDescriptors has a null name and a null name was returned by the currentUserProvider"
2013-11-07 11:09:27,240 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Beginning ticket cleanup.>
2013-11-07 11:09:27,244 DEBUG [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Attempting to acquire ticket cleanup lock.>
2013-11-07 11:09:27,245 DEBUG [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Acquired lock. Proceeding with cleanup.>
2013-11-07 11:09:27,246 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 tickets found to be removed.>
2013-11-07 11:09:27,246 DEBUG [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Releasing ticket cleanup lock.>
2013-11-07 11:09:27,246 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.>
2013-11-07 11:09:37,175 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://vm-iozone3.in.ac-bordeaux.fr/app3/testcas2.php>
2013-11-07 11:09:37,206 DEBUG [org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction] - <Remote User [BQQ00070] found in HttpServletRequest>
2013-11-07 11:09:37,248 DEBUG [org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler] - <Trusting credentials for: [name: BQQ00070]>
2013-11-07 11:09:37,253 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler successfully authenticated [name: BQQ00070]>
2013-11-07 11:09:37,256 DEBUG [org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver] - <Attempting to resolve a principal...>
2013-11-07 11:09:37,256 DEBUG [org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [BQQ00070]>
2013-11-07 11:09:37,332 DEBUG [org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl] - <Created seed map='{uid=[BQQ00070]}' for uid='BQQ00070'>
2013-11-07 11:09:37,332 DEBUG [org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao] - <invoking getPeopleWithMultivaluedAttributes({uid=[BQQ00070]})>
2013-11-07 11:09:37,387 WARN [org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao] - <AdditionalDescriptors has a null name and a null name was returned by the currentUserProvider, returning null. org.jasig.services.persondir.support.MediatingAdditionalDescriptors@3f2f529b>
2013-11-07 11:09:37,388 DEBUG [org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl] - <Retrieved attributes='null' for query='{uid=[BQQ00070]}', isFirstQuery=false, currentlyConsidering='org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao@27aa7aac', resultAttributes='null'>
2013-11-07 11:09:37,392 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal BQQ00070>
2013-11-07 11:09:37,393 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler@45858aa4 authenticated BQQ00070 with credential [name: BQQ00070].>
2013-11-07 11:09:37,394 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for BQQ00070: {}>
2013-11-07 11:09:37,409 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [name: BQQ00070]
WHAT: supplied credentials: [name: BQQ00070]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Nov 07 11:09:37 CET 2013
CLIENT IP ADDRESS: 172.30.54.159
SERVER IP ADDRESS: vm-iozone3.in.ac-bordeaux.fr
=============================================================
It seems to be a matter of scope...
Any help to solve this would be appreciated.
Thanks a lot, best regards,
G. Bady
Hi,
Do you also have some kind of filter (or listener) configuration in web.xml?
I tried the one mentioned on https://wiki.jasig.org/display/PDM15/Request+Header+Attribute+Source.
As a result I can see this line in cas.log:
DEBUG [org.jasig.services.persondir.support.web.RequestAttributeSourceFilter] - Adding attributes for user vesa. {userName=[xxx], serverName=[yyy], eduPersonPrimaryAffiliation=[test], uid=[xxx]}
..but the login page shows a horrible stacktrace...
Error creating bean with name 'scopedTarget.org.jasig.services.persondir.support.AdditionalDescriptors#45dbf0cd': Scope 'globalSession' is not active for the current thread; consider defining a scoped proxy for this bean if you intend to refer to it from a singleton; nested exception is java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request.
I would appreciate any ideas (having same version as 'sabordeaux')
OK ... ALL ...
I'm very sorry for the long delay .. (switched jobs and moved my family across the US) wow..
So I did leave out a very important detail that @willfi pointed out on the previous post. You need to add a filter to the web.xml file to make the header attributes present in the request scope.
Here is my block from the web.xml file
<filter>
<filter-name>requestAttributeSourceFilter</filter-name>
<filter-name>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
...then
<filter-mapping>
<filter-name>requestAttributeSourceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So with those in place the attribute DAO should be able to see and extract the attributes delivered from shib.
Again apologies.. I'll update the shib wiki page also
- Kevin
HI, everyone. I have a problem with basic understanding in configuration and communication between CAS and Shibboleth service provider. I've made all changes mentioned above (trusted handler configuration) and also configured Apache to interact with CAS as described in this guide (https://wiki.shibboleth.net/confluence/display/SHIB2/Shibbolize+a+CAS+server#ShibbolizeaCASserver-ApacheLocations). I see that people above was able setup this configuration and make it working. But I don't understand how basically interaction between CAS and Shibboleth SP performed. My IdP and SP interacting between each other. But I don't see any attempts from the Shibboleth SP send headers with attributes to CAS. I suspect that I am missing something in apache/SP configs, but I am out of idea what that can be. Here is example of the apache config:
UseCanonicalName On
#ProxyPassReverse / ajp://localhost:28009/ retry=5
ProxyPass / ajp://localhost:28009/ retry=5
<Location ~ "^/cas/login">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
</Location>
<Location ~ "^/cas/serviceValidate">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
<Location ~ "^/cas/samlValidate">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
<Location ~ "^/cas/proxy">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
<Location ~ "^/cas/proxyValidate">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
I am not sure about proxy pass needed or not. I've tried with and without. Also I can't find following values to replace in my /WEB-INF/login-webflow.xml:
And 3 existing transitions need to be update:
In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
In the decision-state renewRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
In the action-state generateServiceTicket, replace reference to viewLoginForm by remoteAuthenticate
I have only:
<decision-state id="gatewayRequestCheck">
<if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="serviceAuthorizationCheck" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="requestParameters.renew != '' and requestParameters.renew != null" then="serviceAuthorizationCheck" else="generateServiceTicket" />
</decision-state>
<action-state id="generateServiceTicket">
<evaluate expression="generateServiceTicketAction" />
<transition on="success" to ="warn" />
<transition on="error" to="generateLoginTicket" />
<transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>
This is default CAS deployment configuration.
Abt environment: I have configured Shibbilth IdP(under Tomcat7) and SP(proxied by Apache2.2), CAS(under Tomcat7)
I will appreciate any help and advises.
I got this (mostly) working on my test site, but just as a note, I also added the following to cas-server-webapp/src/main/webapp/WEB-INF/web.xml
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
Mentioning it because I haven't seen it in the threads above and it was key to getting this working.
Hi,
Suppose, I want to include password field in request attributeMap object. Could you please help me?
Thanks
Srinivas
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Thank you for your job on shibbolize CAS server. We're trying to integrate something like your attribute-repository-from-headers.xml in our deployerConfigContext.xml and authentication works fine.
Nevertheless, we are not abble to retrieve extra attributes. It seems that requestAttributeSourceFilter is never called. May you indicate us how to use this bean please ?
Best regards,