I have had some luck creating a custom web flow action and getting hold of the principal using:
TicketGrantingTicket t = (TicketGrantingTicket) ticketRegistry.getTicket(WebUtils.getTicketGrantingTicketId(context)); Authentication authentication = t.getAuthentication(); Principal principal = authentication.getPrincipal(); Hopefully this is a reasonable thing to do. I was thinking, if I create a custom login page for re-authentication containing input for just the password, then added my custom action after the bindandvalidate state, how could I get my newly retrieved username into the credentials ready for the submit action state ? On Thursday, September 5, 2013 9:52:15 AM UTC+1, [email protected] wrote: > > Hi Jérôme, > > Thank you for your assistance (and apologies for the delay in my reply). > I have managed to add an action into the webflow after renewRequestCheck > and before viewLoginForm (note I'm using cas 3.3.1 if it matters). > I currently have injected into my new action, CentralAuthenticationService > and TicketRegistry and have access to the tgtid > using WebUtils.getTicketGrantingTicketId, but I cant see where to get the > username from. > Any pointers ? > > Thank you. > > On Tuesday, August 27, 2013 7:56:12 AM UTC+1, Jérôme LELEU wrote: >> >> Hi, >> >> The CAS server behaves according to what is defined in its webflow : >> https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/web/flow/InitialFlowSetupAction.java >> . >> >> In this case, we'd like to have a login page not displaying the >> "username" filed is the user is already authenticated (just the password >> field). >> >> You need two changes : >> - in the webflow, before displaying the login page, add a new expression >> (around line 128) to evaluate if the user is already authenticated and his >> username (be aware that the TGT id is in the webflow : >> https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/web/flow/InitialFlowSetupAction.java, >> >> so you would need to query the tickets registry with that) >> - in the login page, add the appropriate logic : >> https://github.com/Jasig/cas/blob/3.5.x/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginView.jsp >> . >> >> Best regards, >> Jérôme >> >> >> >> >> >> 2013/8/22 <[email protected]> >> >>> Renew does sound like it should renew an existing identity. >>> Im afraid im a bit of a newbie when it comes to customising cas. Do you >>> have any pointers for where to start ? Any wiki articles ? Or do I need to >>> start trawling source code ? Regardless, thank you very much for your help. >>> >>> >>> On Thursday, August 22, 2013 9:32:03 AM UTC+1, Jérôme LELEU wrote: >>>> >>>> Hi, >>>> >>>> There were several discussions about the renew parameter, especially >>>> when we wrote the LOA specifications. >>>> I'm in favor of blocking new identity when using the renew parameter : >>>> it should only be possible to check the password. >>>> But we didn't reach any clear agreement on this, so I guess it will >>>> stay a customization for now. >>>> Best regards, >>>> Jérôme >>>> >>>> >>>> >>>> >>>> 2013/8/22 <[email protected]> >>>> >>>>> That sounds like exactly what I want, I was hoping there was a native >>>>> mechanism to support that and initially wondered if renew was it but I >>>>> guess not. >>>>> >>>>> On Thursday, August 22, 2013 7:26:15 AM UTC+1, Jérôme LELEU wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> What would be the expected behaviour when the user is already >>>>>> authenticated and requested to login again ? >>>>>> Do you want the login page to have the username already fixed by the >>>>>> previous authentication and only the password can be edited ? Because >>>>>> I'm >>>>>> pretty sure that this can be easily achieved with a customization. >>>>>> Best regards, >>>>>> Jérôme >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 2013/8/21 <[email protected]> >>>>>> >>>>>>> Thank you very much for the responses. I suspect I didn't explain >>>>>>> myself very well. The idea is that the user logs onto the web >>>>>>> application >>>>>>> with a username and password through cas. They are then free to use the >>>>>>> system. If they attempt to click the "edit my profile" link they are >>>>>>> then >>>>>>> asked to provide their password again before they can see that screen - >>>>>>> to >>>>>>> mitigate against a user leaving their browser logged in, walking away >>>>>>> and >>>>>>> someone sitting down and changing their details. Similar to the way >>>>>>> Amazon >>>>>>> deals with editing a profile. >>>>>>> >>>>>>> I have tried to redirect to login with renew=true when the profile >>>>>>> page is requested and indeed authentication is requested but at that >>>>>>> point >>>>>>> any valid account seems to work as it is requesting fresh credentials. >>>>>>> I am >>>>>>> really only after them entering the password for the logged in account >>>>>>> at >>>>>>> that point. >>>>>>> >>>>>>> Any ideas ? >>>>>>> >>>>>>> Thanks for any help. >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] as: >>>>>>> [email protected] >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/**dis**play/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>> >>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> jasig-cas-user...@**googlegroups**.com >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/**dis**play/JSG/cas-user >>>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>> >>>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/**display/JSG/cas-user >>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>> >>>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> jasig-cas-user...@**googlegroups.com >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/**display/JSG/cas-user >>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>> >>>> -- >>> You are currently subscribed to [email protected] as: [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
