I knew this sounded familiar, and so I dug this up: https://github.com/Jasig/cas/issues/722
Long story short; it’s something that is fixed and will need to be backported to 4.0.4. From: Misagh Moayyed [mailto:[email protected]] Sent: Tuesday, August 4, 2015 11:58 AM To: '[email protected]' <[email protected]> Subject: RE: [cas-user] CAS 4 (Unicon overlay) with AD plus attributes That is the default behavior, yes, supposedly :) You should not get anything unless you explicitly allow them. >From what you’re describing, this sounds like a regression. Please submit an issue, and attach a sample of your deployerConfigFile.xml to the issue. Time permitting, the fix might go into 404 if it turns out to be a bug in fact. From: Mark McCoy [mailto:[email protected]] Sent: Tuesday, August 4, 2015 11:39 AM To: [email protected] <mailto:[email protected]> Subject: Re: [cas-user] CAS 4 (Unicon overlay) with AD plus attributes I would think that the default behavior would be to restrict attributes unless released, instead of the reverse. Thanks, Mark From: Kevin Sewell Reply-To: "[email protected] <mailto:[email protected]> " Date: Tuesday, August 4, 2015 at 12:57 PM To: "[email protected] <mailto:[email protected]> " Subject: Re: [cas-user] CAS 4 (Unicon overlay) with AD plus attributes Just reporting that I'm seeing this behaviour too (but didn't play with filters). I was expecting that an empty "allowedAttributes" list with "ignoreAttributes" set to "false" (or not specifying it) to result in no attribute release for that RegexRegisteredService. The logs are telling me that my service (which is using mod_auth_cas) is matching that RegexRegisteredService, but it receives all the attributes no matter what values "allowedAttributes" and "ignoreAttributes" contain. Can someone confirm that restricting attribute release works for them with v4.0.3? If so, I'd be grateful for an example too. Thanks, Kevin On 4 Aug 2015, at 17:46, Mark McCoy <[email protected] <mailto:[email protected]> > wrote: OK, I got the attributes released but now I have one more question. We don’t have a need for the Services Manager, we only want to release attributes to one service. I added a RegexRegisteredService to the RegisteredServicesList and this new service has "ingnoreAttributes" set to "true" (releasing all attributes). I can see in the logs that when I test logging into this service, the SAML returned contains the attributes (we have to use SAML since the client isn't configurable to use the p3 endpoint). The problem is that attributes are always returned to *all* services no matter what I attempt to use to restrict them. On the default RegisteredService, I have set "ignoreAttributes" to "false" and "allowedAttributes" to an empty list. I have set a filter to be an impossible regex that doesn't match any attributes. I've tried releasing only an innocuous attribute (the uid) which the client already gets and isn't a security concern. The logs even show where the uid is the only one that matches the filter, but the CAS server releases the other attributes anyway. Are there any examples of restricting all attributes by default, and only allowing one service to see the attributes? Thanks, Mark From: Mark McCoy Reply-To: "[email protected] <mailto:[email protected]> " Date: Friday, July 31, 2015 at 10:58 AM To: "[email protected] <mailto:[email protected]> " Subject: Re: [cas-user] CAS 4 (Unicon overlay) with AD plus attributes OK, I found the solution. It was not obvious. After hunting through mailing list posts, I found that the instructions were on the documentation page for LDAP authentication all along (the section labeled "PrincipalResolver vs AuthenticationHandler"). Unfortunately, the instructions there to set the value-ref on the ldap auth handler to "#{null}" don't work. When I do that, I get an error: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined I found an alternative way to do this in another mailing list post. Commenting out the existing <constructor-arg><map></map><entry/></constructor-arg> section, this works as long as there is only one handler needed: <constructor-arg index="0"> <list value-type="org.jasig.cas.authentication.AuthenticationHandler" > <ref local="ldapAuthenticationHandler"/> </list> </constructor-arg> Luckily, we don't need to use proxy auth and we have a single authentication handler, so we can use this. I can now see the attributes available for release: 2015-07-31 09:47:06,884 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map for abc123: {uid=abc123, [email protected] <mailto:[email protected]> , displayName=Mark McCoy, employeeID=XXXXXXXX} Next up is figuring out the release policy. Thanks, Mark -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
