I couldn’t get that to work either. In my user details I pull in my attributes
using code like:
// set up the list of granted authorities to
return
List<GrantedAuthority> l = new
ArrayList<GrantedAuthority>();
// The assertion holder is available because of
the
//
org.jasig.cas.client.util.AssertionThreadLocalFilter is being used
// and the fact that in the
// the casValidationFilter has useSession set
to true
final Assertion assertion =
AssertionHolder.getAssertion();
final AttributePrincipal principal =
assertion.getPrincipal();
final Map<String, Object> attributes =
principal.getAttributes();
if (attributes != null) {
// check the return attributes
in order to add the appropriate
// authorities
if
(attributes.containsKey(Keys.ImportantAttribute.getKey())) {
// add
appropriate GrantedAuthority
All the attributes I am checking for are in an enum, and I changed any business
specific variable names and comments in this code blurb.
From: Jayakumar Jayaraman [mailto:[email protected]]
Sent: Friday, October 17, 2014 4:06 AM
To: [email protected]
Subject: [cas-user] CAS 4 - Spring Security - Not able to set granted
authorities after successful authentication - Is it a bug ?
Hi Guys
I am using CAS 4 - Spring Security - Active directory.
Have anyone able to successfully set the granted authorities from the roles
retrieved after successful authentication ?
Internet searches suggest to use
'GrantedAuthorityFromAssertionAttributesUserDetailsService' which would set the
granted authroites, but I am not able to.
I am releasing this variable 'role' using allowedAttributes in the service.
I am also able to retrieve the role from LDAP and assign it to the role
variable as below,
<beans:bean id="authenticationUserDetailsService"
class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService"
>
<beans:constructor-arg >
<beans:array>
<beans:value>role</beans:value>
</beans:array>
</beans:constructor-arg>
</beans:bean>
When try to check hasRoles('MY_ROLE'), I gets access denied 403 and it seems I
am not able to set the retrieved roles on granted authorities.
10:00:24,340 DEBUG http-bio-8443-exec-10
intercept.FilterSecurityInterceptor:310 - Previously Authenticated:
org.springframework.security.cas.authentication.CasAuthenticationToken@e848bc56<mailto:org.springframework.security.cas.authentication.CasAuthenticationToken@e848bc56>:
Principal:
org.springframework.security.core.userdetails.User@a4b4d0a7<mailto:org.springframework.security.core.userdetails.User@a4b4d0a7>:
Username: taylorj; Password: [PROTECTED]; Enabled: true; AccountNonExpired:
true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any
authorities; Credentials: [PROTECTED]; Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@b364<mailto:org.springframework.security.web.authentication.WebAuthenticationDetails@b364>:
RemoteIpAddress: 10.100.20.125; Session
Id: 4652D17239607600EF2748E939F70BB0; Not granted any authorities Assertion:
org.jasig.cas.client.validation.AssertionImpl@4a269585<mailto:org.jasig.cas.client.validation.AssertionImpl@4a269585>
Credentials (Service/Proxy Ticket): ST-1-tuVjcs2BP2UvyVUe50bZ-cas01.xxxx
Have any one tested this feature ?
Is this working in CAS 4 or is it a bug ?
Thanks
Jay
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
