Hi all, we just stumbled across some behaviour that we didn't expect in CAS 6.6.x.
We activated a `attribute-repository` using `cas.authn.attribute-repository.[...]`. *We activated it globally using `cas.person-directory.active-attribute-repository-ids`* The attribute repository itself works as expected, when first logging in. The problem arises when for an existing SSO session a new ticket is created. We expected that `cas.authn.attribute-repository.core.expiration-time` would be respected. Meaning that when: - logging in => attribute repository is called - waiting `expiration-time` - deleting the session in the service, SSO session is still active (due to e.g. remember me) - trying to reauthenticate in the service Expected behaviour - CAS still has the old values of the attributes, should expire them and update them Actual behaviour - The attribute repositories are NOT called. Old values (from DB attached to ticket?) used. Workaround: - Setting `attributeReleasePolicy.principalAttributesRepository.attributeRepositoryIds`, caching and mergingStrategy in every service. Would you consider this a bug or is there some kind of misunderstanding on our side? We looked into the code a little bit and think that while the login code does use the globally defined `attributeRepositoryIds`, `AbstractRegisteredServiceAttributeReleasePolicy#getAttributes` doesn't. When not configured in the service, `AbstractRegisteredServiceAttributeReleasePolicy` uses an empty `DefaultPrincipalAttributesRepository` with no `attributeRepositoryIds` configured. I think `AbstractRegisteredServiceAttributeReleasePolicy` could maybe check if `principalAttributesRepository` is customized in the YAML/JPA/... service and if not use the global defaults. Regards Felix -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb1b7191-a06a-44d6-a390-06338988dfc1n%40apereo.org.
