You can find the parsing code here: http://grepcode.com/file/repo1.maven.org/maven2/org.jasig.cas.client/cas-client-core/3.2.1/org/jasig/cas/client/validation/Cas20ServiceTicketValidator.java#Cas20ServiceTicketValidator.extractCustomAttributes%28java.lang.String%29
In particular: 1) This code warns that "This code is here merely for sample/demonstration purposes for those wishing to modify the CAS2 protocol. You'll probably want a more robust implementation or to use SAML 1.1". 2) Based on eyeballing the code, the required format includest the following: a) The attributes must be surrounded by the precise strings "<cas:attributes>" and "</cas:attributes>" b) each the XML element name is the attribute name (as shown below) c) each XML element should be on a separate line and must have some namespace prefix (although the prefix itself is not used). I believe that next major CAS release is going to clean this all up... david > -----Original Message----- > From: Ohsie, David [mailto:[email protected]] > Sent: Friday, April 26, 2013 5:50 PM > To: [email protected] > Subject: RE: Re:[cas-user] Getting more information into > cas:serviceResponse > > I believe that the simplest thing with Java is to use SAML validator. This > doesn’t require any changes in the casServiceValidationSuccess.jsp. You > mention upheaval, but unless you have advanced use cases like PGT or REST > and programmatic access, using the SAML validator is just a different > configuration of the Java CAS client. > > To your original question, the attribute parsing built into the java cas > client is > very primitive. I know that we had to do some tweaking to get it to work (we > used it instead of SAML validate because we needed PGT support) I'll cut > and paste what worked for us. I believe that you are correct that the > "Name" of the attribute needs to be in the xml element itself. What is below > is the exact formattting that comes out of ours including whitespace: > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationSuccess> > <cas:user>appadmin</cas:user> > <cas:attributes> > > <cas:USER_ROLES>["Security Administrator","System > Administrator","User"]</cas:USER_ROLES></cas:attributes> > > > </cas:authenticationSuccess> > </cas:serviceResponse> > > As you can see, for multivalued attributes, we put the output into JSON > format; you can choose to do that or not do that. Here is a .jsp snippet for > attributes: > > <cas:attributes><c:forEach var="attributes" > items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuth > entications)-1].principal.attributes}"><c:set var="principal" > value="${assertion.chainedAuthentications[fn:length(assertion.chainedAuth > entications)-1].principal}" scope="page" /> <% > Principal myPrincipal = (Principal)pageContext.getAttribute("principal"); > Map<String, Object> attributesSet = myPrincipal.getAttributes(); > for (final Entry<String, Object> e : attributesSet.entrySet()) { > String key=e.getKey(); > pageContext.setAttribute("principalAttributeKey", key); > ArrayList aValues = new ArrayList(); > if (e.getValue() instanceof Collection<?>) { > final Collection<?> c = (Collection<?>) e.getValue(); > if (c.isEmpty()) { > continue; > } > aValues.addAll(c); > } else { > aValues.add(e.getValue()); > } > > pageContext.setAttribute("principalAttributeValue", aValues); > } > %> > <c:if test="${not empty > principalAttributeKey}"><cas:${principalAttributeKey}>[<c:forEach > items="${principalAttributeValue}" var="attributeValue" > varStatus="loop">"${attributeValue}"<c:if test="${(loop.count) < > fn:length(principalAttributeValue)}">,</c:if></c:forEach>]</cas:${principalAt > tributeKey}></c:if></c:forEach></cas:attributes> > > > > However, now that I have them displayed, I cannot get the attributes out > on > > the client side. I'm using the CAS20ProxyTicketValidator - not sure if this > > is > > the right one to get the extra information I need - but it appears as if the > > attributes that I created are in the wrong format. When I use the > > casServiceVlaidationSuccess.jsp it puts out attributes in the following > format: > > > > <cas:attributes> > > <cas:attribute> > > <cas:name>myAttributeName</cas:name> > > <cas:value>myAttributeValue</cas:value> > > </cas:attribute> > > </cas:attributes> > > > > When the proxy ticket validator iterates through the attributes, it puts > > "name", "value" into the principal's attributes instead of > "myAttributeName" > > and "myAttributeValue" into the attributes. > > > > So should I even be using the CAS20ProxyTicketValidator or use the Saml > > validator? Going to the saml validator would cause a huge upheaval and I'm > > not comfortable doing that at this point - we might migrate later. So I'm > going > > to try and alter the jsp so that the client will understand the attributes, > > namely: > > > > <cas:myAttributeName>myAttributeName</cas:myAttributeName> > > <cas:myAttributeValue>myAttributeValue</cas:myAttributeValue> > > > > I'm just unsure if this is even the right approach. > > > > Thanks in advance for your assistance. > > > > Russ Baker > > -- > > You are currently subscribed to [email protected] as: > > [email protected] To unsubscribe, change settings or access archives, > > see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
