I just puzzled out how to use
org.jasig.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao
when retrieving results from a database. I didn't see any helpful
examples from Google searches, so I thought I'd share what I found out
in case it's helpful to someone down the line.
I'm using CAS 3.3.1. My goal here is to sort users into groups for use
with EZProxy. EZProxy apparently does not use SAML, so to get attributes
you have to modify your casServiceValidationSuccess.jsp file and add
this section somewhere in the middle of
"cas:serviceResponse/cas:authenticationSuccess":
<c:if
test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)
> 0}">
<cas:attributes>
<c:forEach var="attr"
items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}"
begin="0"
end="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)-1}"
step="1">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>
I have a SQL Server query which accepts a username and returns a one
column table containing all the groups the person belongs to:
select * from dbo.udf_GetGroups('aaron.chantrill')
---------
| *Group* |
---------
| Staff |
---------
| IT |
---------
What I wanted to do was populate an attribute <cas:group> with the
result set.
With MultiRow, it is assumed that one row contains the name of the
attribute, and the other row contains the value, so I had to change my
query to add a column containing "group" in each row and changed the
column names to attr_nm and attr_vl to match the examples I was seeing
online:
select 'group' as attr_nm,[group] as attr_vl from dbo.udf_GetGroups(?);
---------------------
| *attr_nm* | *attr_vl* |
---------------------
| Group | Staff |
---------------------
| Group | IT |
---------------------
Mapping the name and value is done using a map under the
nameValueColumnMappings property:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao">
<constructor-arg index="0" ref="dataSource"/>
<constructor-arg index="1" value="username"/>
<constructor-arg index="2">
<value>
select 'group' as attr_nm,[group] as attr_vl from dbo.udf_GetGroups(?);
</value>
</constructor-arg>
<property name="nameValueColumnMappings">
<map>
<entry key="attr_nm" value="attr_vl"/>
</map>
</property>
</bean>
For a result, I was expecting this:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>aaron.chantrill</cas:user>
<cas:attributes>
<cas:group>Staff</cas:group>
<cas:group>IT</cas:group>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
Which would have worked well with EZProxy:
Test //*/cas:group Staff; Group +Employee
(this adds the user to the Employee group if the CAS response contains a
cas:group element anywhere with an inner value of "Staff")
alas, the actual response was:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>aaron.chantrill</cas:user>
<cas:attributes>
<cas:group>[Staff, IT]</cas:group>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
I tried changing my EZProxy to use a regular expression:
Test -RE //*/cas:group .*[\[,]\sStaff[\],].*; Group +Employee
but got an "Invalid Regular Expression" error. Unfortunately, I haven't
found any good documentation on writing regular expressions for EZProxy.
In the end, I used SingleRowJdbcPersonAttributeDao and built the groups
list manually on the data server so I could bookend it with commas and use:
Test -RE //*/cas:group .*, Staff,.*; Group +Employee
Thanks,
Aaron
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
