Hi Nancy Thanks for the useful information.
I am trying to use this feature and trying hard but could not find a solution for weeks.... Basically after authentication we want to set the roles in the spring security context, so that it can be used by the other services for authorisation. Not sure what other ways I could achieve this ??? On related searches I came across these classes.... will see if this could help... DefaultLdapAuthoritiesPopulator UserDetailsServiceLdapAuthoritiesPopulator Cheers Jay On Fri, Oct 17, 2014 at 2:38 PM, Nancy Snoke <[email protected]> wrote: > I couldn’t get that to work either. In my user details I pull in my > attributes using code like: > > > > // set up the list of granted authorities > to return > > List<GrantedAuthority> l = new > ArrayList<GrantedAuthority>(); > > // The assertion holder is available > because of the > > // > org.jasig.cas.client.util.AssertionThreadLocalFilter is being used > > // and the fact that in the > > // the casValidationFilter has useSession > set to true > > final Assertion assertion = > AssertionHolder.getAssertion(); > > final AttributePrincipal principal = > assertion.getPrincipal(); > > final Map<String, Object> attributes = > principal.getAttributes(); > > > > if (attributes != null) { > > // check the return > attributes in order to add the appropriate > > // authorities > > if > (attributes.containsKey(Keys.ImportantAttribute.getKey())) { > > // add > appropriate GrantedAuthority > > > > All the attributes I am checking for are in an enum, and I changed any > business specific variable names and comments in this code blurb. > > *From:* Jayakumar Jayaraman [mailto:[email protected]] > *Sent:* Friday, October 17, 2014 4:06 AM > *To:* [email protected] > *Subject:* [cas-user] CAS 4 - Spring Security - Not able to set granted > authorities after successful authentication - Is it a bug ? > > > > Hi Guys > > > > I am using CAS 4 - Spring Security - Active directory. > > > > Have anyone able to successfully set the granted authorities from the > roles retrieved after successful authentication ? > > > > Internet searches suggest to use > 'GrantedAuthorityFromAssertionAttributesUserDetailsService' which would set > the granted authroites, but I am not able to. > > > > I am releasing this variable 'role' using allowedAttributes in the service. > > I am also able to retrieve the role from LDAP and assign it to the role > variable as below, > > > > > > <beans:bean id="authenticationUserDetailsService" > > > class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService" > > > > <beans:constructor-arg > > > <beans:array> > > <beans:value>role</beans:value> > > </beans:array> > > </beans:constructor-arg> > > </beans:bean> > > > > > > When try to check hasRoles('MY_ROLE'), I gets access denied 403 and it > seems I am not able to set the retrieved roles on granted authorities. > > > > > > 10:00:24,340 DEBUG http-bio-8443-exec-10 > intercept.FilterSecurityInterceptor:310 - Previously Authenticated: > org.springframework.security.cas.authentication.CasAuthenticationToken@e848bc56: > Principal: > > org.springframework.security.core.userdetails.User@a4b4d0a7: Username: > taylorj; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; > credentialsNonExpired: true; AccountNonLocked: true; Not granted any > authorities; Credentials: [PROTECTED]; Authenticated: true; Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@b364: > RemoteIpAddress: 10.100.20.125; Session > > Id: 4652D17239607600EF2748E939F70BB0; Not granted any authorities > Assertion: org.jasig.cas.client.validation.AssertionImpl@4a269585 > Credentials (Service/Proxy Ticket): ST-1-tuVjcs2BP2UvyVUe50bZ-cas01.xxxx > > > > > > Have any one tested this feature ? > > Is this working in CAS 4 or is it a bug ? > > > > > > Thanks > > Jay > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
