Hi there, AFAIK, what you describe as a potential bug, is a behavior given by design: when CAS authenticates a user, it stores all the attributes from the time of login, including those from *cas.person-directory.active-attribute-repository-ids*, to the SSO session, namely to "principal.attributes" - these attributes are basically *immutable*.
When CAS redirects the user to a concrete service, it fetches attributes from the attribute repository defined for that service, if any - it is here, where the attributes caching can apply. Fetched attributes are merged with the aforementioned principal attributes before being returned to the service (and cached). Beware that the default mergingStrategy in the CAS *PrincipalAttributesRepository classes is MULTIVALUED - you might want to change it to REPLACE. Not sure if this is in-line with what the CAS documentation says. I remember not quite understanding these attributes fetching mechanisms when firstly getting started with CAS... Best regards Petr On Tuesday, 8 April 2025 at 11:37:31 UTC+2 Miguel Martínez De Espronceda Cámara wrote: > Hi Felix, > Is this still not fixed in CAS-7.x versions? > Best regards > > > El mié, 26 jun 2024 a las 5:33, 'Felix Scheinost' via CAS Community (< > [email protected]>) escribió: > >> Hi all, >> >> we just stumbled across some behaviour that we didn't expect in CAS 6.6.x. >> >> We activated a `attribute-repository` using >> `cas.authn.attribute-repository.[...]`. >> *We activated it globally using >> `cas.person-directory.active-attribute-repository-ids`* >> The attribute repository itself works as expected, when first logging in. >> >> The problem arises when for an existing SSO session a new ticket is >> created. We expected that >> `cas.authn.attribute-repository.core.expiration-time` would be respected. >> >> Meaning that when: >> >> - logging in => attribute repository is called >> - waiting `expiration-time` >> - deleting the session in the service, SSO session is still active >> (due to e.g. remember me) >> - trying to reauthenticate in the service >> >> Expected behaviour >> >> - CAS still has the old values of the attributes, should expire them >> and update them >> >> Actual behaviour >> >> - The attribute repositories are NOT called. Old values (from DB >> attached to ticket?) used. >> >> Workaround: >> >> - Setting >> >> `attributeReleasePolicy.principalAttributesRepository.attributeRepositoryIds`, >> >> caching and mergingStrategy in every service. >> >> Would you consider this a bug or is there some kind of misunderstanding >> on our side? >> >> We looked into the code a little bit and think that while the login code >> does use the globally defined `attributeRepositoryIds`, >> `AbstractRegisteredServiceAttributeReleasePolicy#getAttributes` doesn't. >> >> When not configured in the service, >> `AbstractRegisteredServiceAttributeReleasePolicy` uses an empty >> `DefaultPrincipalAttributesRepository` with no `attributeRepositoryIds` >> configured. >> >> I think `AbstractRegisteredServiceAttributeReleasePolicy` could maybe >> check if `principalAttributesRepository` is customized in the YAML/JPA/... >> service and if not use the global defaults. >> >> Regards >> Felix >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb1b7191-a06a-44d6-a390-06338988dfc1n%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb1b7191-a06a-44d6-a390-06338988dfc1n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > [image: Universidad de Navarra] <http://www.unav.es/> *Miguel Martínez de > Espronceda Cámara* > Project Manager > Universidad de Navarra > IT Services > Tel: +34 948 425 600 x803156 <+34%20948%2042%2056%2000> > [email protected] > > *Este mensaje puede contener información confidencial. Si usted no es el > destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas > y comuníquelo a la mayor brevedad al remitente. Los datos personales > incluidos en los correos electrónicos que intercambie con el personal de la > Universidad de Navarra podrán ser almacenados en la libreta de direcciones > de su interlocutor y/o en los servidores de la Universidad durante el > tiempo fijado en su política interna de conservación de información. La > Universidad de Navarra gestiona dichos datos con fines meramente > operativos, para permitir el contacto por email entre sus > trabajadores/colaboradores y terceros. Puede consultar la Política de > Privacidad de la Universidad de Navarra en la dirección: * > *https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal> > > > > *This email message may contain confidential information. If you are not > the intended recipient of this message or their agent, or if this message > has been addressed to you in error, please immediately alert the sender by > reply email and then delete this message and any attachments. The personal > information included in email messages exchanged with employees of the > University of Navarra may be stored in the database of your interlocutor > and/or the servers of the University for the time-period stipulated by its > internal information storage policy. The University stores such data for > purely administrative purposes, to facilitate e-mail contact between its > employees and third parties. The University of Navarra Privacy Policy may > be accessed at https://www.unav.edu/aviso-legal > <https://www.unav.edu/aviso-legal> * > > > > > *Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que > es necesario. Proteger el medio ambiente está en nuestras manos.Before > printing this e-mail or attachments, be sure it is necessary. **It is in > our hands to protect the environment.* > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b7e08ce-0c41-46c2-97ec-0cc675e51260n%40apereo.org.
