Skip to end of metadata
Go to start of metadata
Table of Contents

Hopefully these notes will evolve into a more formal tutorial.

This example assumes user roles are stored in a database like so:

mysql> select * from VW_USER_ROLES;
+----+-----------+---------------+
| ID | LOGINNAME | ROLENAME      |
+----+-----------+---------------+
|  1 | me        | DEBUG         |
|  1 | me        | Super User    |
+----+-----------+---------------+

Currently works with SAML 1.1 from jasig or by utilizing

            server add-on https://github.com/Unicon/cas-addons/wiki/Configuring-JSON-Validation-Response   ( server version 3.5.1 and above )

            and client add-on https://github.com/Unicon/cas-java-clients-addons ( client version 3.2.1 )

 

(for CAS 2.0 see http://www.ja-sig.org/issues/browse/CAS-655).

  • Client Mods
    • dependencies

      <dependency>
        <groupId>org.apache.santuario</groupId>
        <artifactId>xmlsec</artifactId>
        <version>1.4.5</version>
      </dependency>
      
      <dependency>
        <groupId>org.opensaml</groupId>
        <artifactId>opensaml</artifactId>
        <version>1.1b</version>
      </dependency>
      
    • org.jasig.cas.client.authentication.Saml11AuthenticationFilter
    • org.jasig.cas.client.validation.Saml11TicketValidationFilter
    • org.jasig.cas.client.util.HttpServletRequestWrapperFilter
    • Add init-param to HttpServletRequestWrapperFilter :

      <param-name>roleAttribute</param-name>
      <param-value>USER_ROLE</param-value>
      
  • Server Mods

    On deployerConfigContext.xml add :

    <bean id="multiRowJdbcPersonAttributeDao" class="org.jasig.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao">
       <constructor-arg index="0" ref="dataSource" />
       <constructor-arg index="1" value="select LOGINNAME, 'USER_ROLE' as attr_name, ROLENAME FROM VW_USER_ROLES WHERE {0}" />
       <property name="nameValueColumnMappings">
           <map>
              <entry key="attr_name" value="ROLENAME" />
           </map>
       </property>
       <property name="queryAttributeMapping">
           <map>
             <entry key="username" value="LOGINNAME" />
          </map>
       </property>
    </bean>
    
     
    ...
     
    <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
    	<property name="credentialsToPrincipalResolvers">
    		<list>
    			<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
    				<property name="attributeRepository" ref="multiRowJdbcPersonAttributeDao"/>
    			</bean>
    ...
  • Runtime changes
    • in Services Management i.e. /cas/services/ Edit service to 'Ignore Attribute Management via this Tool'


    If you are using InMemoryServiceRegistryDaoImpl as serviceRegistryDao (default config), a way to avoid to edit services at each restart of cas-server is to add a property to the corresponding service in deployerConfigContext.xml :

    <bean class="org.jasig.cas.services.RegisteredServiceImpl">
    ...
      <property name="allowedAttributes">
        <list>
            <value>USER_ROLE</value>
        </list>
     </property>
    ...

     

     

  • No labels