On Thu, 19 Apr 2012, Dmitriy Kopylenko wrote:
> No, the registry code does not include the authorization
> checks. That code is implementation specific and needs to be
> developed.
>
> If anything, can you post your regular service registry DAO config
> as well as JSON registry config, in order to see what's going on?
>
> Dmitriy.
I hope this is the info you mean. This is all from
deployerConfigContext.xml.
Initially I have this for serviceRegistryDao and attributeRepository:
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="ou=People,dc=GSLIS" />
<property name="requireAllQueryAttributes" value="true" />
<!--
Attribute mapping beetween principal (key) and LDAP
(value) names
used to perform the LDAP search. By default, multiple
search criteria
are ANDed together. Set the queryType property to
change to OR.
-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<!-- Mapping beetween LDAP entry attributes (key) and
Principal's (value) -->
<property name="resultAttributeMapping">
<map>
<entry value="FirstName" key="givenName" />
<entry value="LastName" key="sn" />
<entry value="Name" key="displayName" />
<entry value="Tokens" key="acctAuthToken" />
</map>
</property>
</bean>
When I login to my test site with mod_auth_cas, I get the following
among the environment variables (I have things configured in Apache
there to get these variable names):
HTTP_CAS_AUTHENTICATIONMETHOD=urn:oasis:names:tc:SAML:1.0:am:unspecified
HTTP_CAS_FIRSTNAME=Milt
HTTP_CAS_LASTNAME=Epstein
HTTP_CAS_NAME=Milt Epstein
HTTP_CAS_TOKENS=<value deleted>
HTTP_CAS_USER=mepstein
Then I switch serviceRegistryDao to:
<!--
In-memory data store for the ServiceRegistry that reads the
services definition from /etc/cas/servicesRegistry.conf JSON file
-->
<lang:groovy id="serviceRegistryDao"
script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy"
init-method="init">
<lang:property name="servicesConfigFile"
value="file:/etc/cas/servicesRegistry.conf"/>
</lang:groovy>
And /etc/cas/servicesRegistry.conf is (I simplified this from what I
had previously, but I still get the same behavior with regard to the
attributes):
{
"services":[
{
"id":"1",
"serviceId":"https://cas.lis.illinois.edu/cas/services/**";,
"name":"CAS Services Management Application",
"description":"CAS Services Management Application",
"evaluationOrder":"1",
"extraAttributes":{
"authzAttributes":{
"eduPersonAffiliation":["student_current", "alumni"]
},
"unauthorizedRedirectUrl":"https://cas.lis.illinois.edu/cas/logout";
}
},
{
"id":"2",
"serviceId":"https://dhcp.lis.illinois.edu/**";,
"name":"GSLIS DHCP",
"description":"GSLIS DHCP",
"evaluationOrder":"2",
"extraAttributes":{
"authzAttributes":{
"eduPersonAffiliation":["employee", "nb_employee"]
},
"unauthorizedRedirectUrl":"https://cas.lis.illinois.edu/cas/logout";
}
}
]
}
After this, the only related environment variable I get is:
HTTP_CAS_USER=mepstein
The others aren't present anymore.
Any help appreciated.
Milt Epstein
> On Apr 19, 2012, at 6:19 PM, Milt Epstein <[email protected]> wrote:
>
> > Hi. Got a few followup questions related to this.
> >
> > Someone had mentioned this JSON-based Services Registry recently on
> > this list, so I had asked for the code and deployed it.
> >
> > It worked -- that is, CAS still worked, I could log in -- but I found
> > that I had lost the attributes I had set up being passed to my CAS
> > client (I have a test site set up with mod_auth_cas -- so using
> > org.jasig.cas.services.InMemoryServiceRegistryDaoImpl as the
> > serviceRegistryDao, I got the attributes, but using this JSON-based
> > Services Registry, I didn't). Any idea what's going on with that --
> > why they're not being sent, and what I can do to fix that?
> >
> > Second, you mention that with this configuration, the authzAttributes
> > must be satisfied by the user. Is some additional code/configuration
> > required for that to work? With what I have deployed, I don't see how
> > that would get checked (e.g., I don't see anything that's
> > using/checking extraAttributes or authzAttributes).
> >
> > Thanks.
> >
> > Milt Epstein
> >
> >
> > On Mon, 16 Apr 2012, William G. Thompson, Jr. wrote:
> >
> >> Hi Dave,
> >>
> >> The solution is based on a new JSON-based Services Registry and some
> >> custom logic in the login flow. The JSON services config specifies
> >> which user attributes must be present in order to grant a service
> >> ticket. If the user is unauthorized they get redirected to an
> >> unauthorizedRedirectUrl.
> >>
> >>
> >> The JSON looks like this:
> >> "services":[
> >> {
> >> "id":"1",
> >> "serviceId":"https://www.google.com";,
> >> "name":"GOOGLE",
> >> "description":"Test Google service",
> >> "extraAttributes":{
> >> "authzAttributes":{
> >> "eduPersonAffiliation":["student_current", "alumni"]
> >> },
> >> "unauthorizedRedirectUrl":"https://www.google.com?q=un";
> >> }
> >>
> >> This says the user must have an eduPersonAffiliation of either
> >> student_current or alumni, otherwise they get redirected to
> >> https://www.google.com?q=un.
> >>
> >> The JSON Registry is available here:
> >> https://github.com/Unicon/cas-addons/tree/master/src/main/java/net/unicon/cas/addons/serviceregistry
> >>
> >> Hopefully we'll have a session on this at the Jasig/Sakai conference in
> >> June.
> >>
> >> Best
> >> Bill
> > [ ... ]
> >
> > Milt Epstein
> > Applications Developer
> > Graduate School of Library and Information Science (GSLIS)
> > University of Illinois at Urbana-Champaign (UIUC)
> > [email protected]
> >
> > --
> > You are currently subscribed to [email protected] as:
> > [email protected]
> > To unsubscribe, change settings or access archives, see
> > http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
Milt Epstein
Applications Developer
Graduate School of Library and Information Science (GSLIS)
University of Illinois at Urbana-Champaign (UIUC)
[email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
