Hi,
When using the CAS 2.0 Protocol for attribute release it seems to work we see the attributes in the debug log on the client side and the user authenticates it just fails with Authentication failure: Ticket not validated [AuthenticationException.php:80] D9AA .| | | | | Reason: bad response from the CAS server [AuthenticationException.php:85] D9AA .| | | | | CAS response: ^M Has anyone found a workaround for that, we are using the phpcas client 1.3.2. We are running CAS 3.6.0 Server. Thanks! ___________________ Juan Quintanilla UTS - Enterprise Group 305-348-6573 [email protected]<mailto:[email protected]> ________________________________ From: James Winter <[email protected]> Sent: Thursday, September 3, 2015 10:32 PM To: [email protected] Subject: Re: [cas-user] Attribute resolved but not released? I had the exact same issue with the CAS 2.0 protocol until I added code in the protocol success response to pass the attributes in the response. The 3.0 protocol returned attributes fine. If you compare the 3.0 and 2.0 success responses it's pretty obvious the 2.0 protocol isn't returning attributes. This is my serviceresponse element (view/jsp/protocol/2.0/casServiceValidationSuccess.jsp) that works for us: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.yale.edu_tp_cas&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=R8OvN58r8x2pDCK-nKewrdShyqzrPMXY3INpp9mCZhs&e=>'> <cas:authenticationSuccess> <cas:user>${fn:escapeXml(assertion.primaryAuthentication.principal.id<https://urldefense.proofpoint.com/v2/url?u=http-3A__assertion.primaryAuthentication.principal.id&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=4D_XStWZfp51aVQK35Tu7_1wgEtenkHolltrHpIIM5M&e=>)}</cas:user> <cas:attributes> <c:forEach var="auth" items="${assertion.chainedAuthentications}"> <c:forEach var="attr" items="${auth.principal.attributes}" > <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}> </c:forEach> </c:forEach> </cas:attributes> <c:if test="${not empty pgtIou}"> <cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket> </c:if> <c:if test="${fn:length(assertion.chainedAuthentications) > 1}"> <cas:proxies> <c:forEach var="proxy" items="${assertion.chainedAuthentications}" varStatus="loopStatus" begin="0" end="${fn:length(assertion.chainedAuthentications)-2}" step="1"> <cas:proxy>${fn:escapeXml(proxy.principal.id<https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy.principal.id&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=kxYnvQDqeP2iuk-2DLJ7Fd_TY-UK6GoPM9EkMFoXc2M&e=>)}</cas:proxy> </c:forEach> </cas:proxies> </c:if> </cas:authenticationSuccess> </cas:serviceResponse> On Thu, Sep 3, 2015 at 9:53 PM Misagh Moayyed <[email protected]<mailto:[email protected]>> wrote: Is your client pointing to the /p3 endpoint? Are attributes configured for release in your registry? You have so far resolved them. From: Chris Irwin [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, September 3, 2015 8:54 AM To: [email protected]<mailto:[email protected]> Subject: [cas-user] Attribute resolved but not released? After some reconfigurations I was able to get the attribute map to populate: 2015-09-03 11:34:19,142 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=> 2015-09-03 11:35:49,483 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services. 2015-09-03 11:35:49,483 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service ^(https?|imaps?)://.* 2015-09-03 11:35:49,483 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services. 2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=> 2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=> 2015-09-03 11:36:56,144 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP authentication for 2233445+password 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@1429278053::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, ldapEntry=[dn=CN=2233445,OU=PeopleSoft_UGrads,DC=students,dc=root,dc=njcu[[legacyExchangeDN[/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=2233445557]], [mail[[email protected]<mailto:[email protected]>]], [proxyAddresses[SMTP:[email protected], smtp:[email protected], smtp:[email protected]]], [uSNCreated[59219964]], [whenChanged[20150828141421.0Z]], [objectClass[top, person, organizationalPerson, user]], [primaryGroupID[513]], [givenName[Apple]], [objectGUID[BbC~1?uF??!%??]], [extensionAttribute15[GALEnabled]], [instanceType[0]], [objectSid[ ~dS?0n?.?^?M ]], [whenCreated[20150810155326.0Z]], [msExchHideFromAddressLists[TRUE]], [dSCorePropagationData[16010101000000.0Z]], [sn[Sauce]], [userAccountControl[66048]], [lastLogonTimestamp[130852448531619587]], [mailNickname[ASauce]], [msExchRecipientTypeDetails[128]], [cn[2233445]], [msExchRecipientDisplayType[6]], [sAMAccountName[2233445]], [targetAddress[SMTP:[email protected]]], [sAMAccountType[805306368]], [userPrincipalName[[email protected]<mailto:[email protected]>]], [showInAddressBook[CN=All Mail Users(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu, CN=All Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=root,DC=njcu]], [displayName[Apple Sauce]], [pwdLastSet[130852448484974989]], [name[2233445]], [msExchPoliciesExcluded[{26491cfc-9e50-4857-861b-0cb8df22b5d7}]], [msExchUMDtmfMap[emailAddress:272823, lastNameFirstName:2233445, firstNameLastName:2233445]], [objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], [distinguishedName[CN=2233445,OU=PeopleSoft_UGrads,DC=students,DC=root,DC=njcu]], [internetEncoding[1310720]], [msExchVersion[44220983382016]], [uSNChanged[60537450]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null] 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [sAMAccountName[2233445]] 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [cn[2233445]] 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [givenName[Apple]] 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [sn[Sauce]] 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [mail[[email protected]<mailto:[email protected]>]] 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal attribute: [displayName[Apple Sauce]] 2015-09-03 11:36:56,175 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler successfully authenticated 2233445+password 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - No resolver configured for LdapAuthenticationHandler. Falling back to handler principal 2233445 2015-09-03 11:36:56,175 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated 2233445 with credentials [2233445+password]. 2015-09-03 11:36:56,175 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map for 2233445: {userName=2233445, Student ID=2233445, First Name=Apple, Last Name=Sauce, [email protected]<mailto:[email protected]>, displayName=Apple Sauce} 2015-09-03 11:36:56,175 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN This is a step in the right direction but it doesn't appear that it's being released correctly as the response I get back on the app side only shows the authentication: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.yale.edu_tp_cas&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=R8OvN58r8x2pDCK-nKewrdShyqzrPMXY3INpp9mCZhs&e=>'> <cas:authenticationSuccess> <cas:user>2233445</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> My deployerConfigContext.xml is as follows: <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to Jasig under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. Jasig licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at the following location: http://www.apache.org/licenses/LICENSE-2.0<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_licenses_LICENSE-2D2.0&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=PrZPbxTWvZzqPXobX1Ir_0eqOoPQ--KBu-2apc7Dims&e=> Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <beans xmlns="http://www.springframework.org/schema/beans<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_beans&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=XsT4X8yyhUDKVFcZRx3jlb9mpCDLTZk2IaUPO8agKsk&e=>" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.w3.org_2001_XMLSchema-2Dinstance&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=z4rEKEagWHDAcbLkrCMzEsYGMCzCw0sxUJ52Q3B4Z_I&e=>" xmlns:p="http://www.springframework.org/schema/p<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_p&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=E_FOltRdAZ0QMZr91teIXJutF2OBEzPdg6dndRuQ5IA&e=>" xmlns:c="http://www.springframework.org/schema/c<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_c&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=N4X377uvngokoAu0eDg1tSdUtyc22MRpQfDf20S7fuQ&e=>" xmlns:tx="http://www.springframework.org/schema/tx<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_tx&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=3IkLeuUai4Rtf9Ese356_vbc15TGryCW9GIvV5Uky40&e=>" xmlns:util="http://www.springframework.org/schema/util<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_util&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=oSafs5q24JV9RACF5OxOSbBRVxnDrKwd5u-5Im4cxq8&e=>" xmlns:sec="http://www.springframework.org/schema/security<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_security&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=PqFUL3pTIVtDSfGTKEDVjA5mrwS8gDakgdcTO_FzSfE&e=>" xmlns:context="http://www.springframework.org/schema/context<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_context&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=0qk78Kw_h-kOsvT38TO1ALH7uBtyXWP3JDZ52f1PRNc&e=>" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.springframework.org_schema_beans-2520http-3A_www.springframework.org_schema_beans_spring-2Dbeans-2D3.2.xsd-250b-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-2520http-3A_www.springframework.org_schema_tx-2520http-3A_www.springframework.org_schema_tx_spring-2Dtx-2D3.2.xsd-250b-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-2520http-3A_www.springframework.org_schema_security-2520http-3A_www.springframework.org_schema_security_spring-2Dsecurity-2D3.2.xsd-250b-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-25C2-25A0-2520http-3A_www.springframework.org_schema_util-2520http-3A_www.springframework.org_schema_util_spring-2Dutil.xsd&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=0AJQELp34MxlQUJYU5vlZBeDsFnZYk2xwaNLsl39oVU&e=>"> <!-- <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> --> <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <list> <ref bean="ldapAuthenticationHandler"/> </list> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <!-- Required for proxy ticket mechanism. --> <bean id="proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean id="primaryAuthenticationHandler" class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> <property name="users"> <map> <entry key="casuser" value="Mellon"/> </map> </property> </bean> <!-- Required for proxy ticket mechanism --> <bean id="proxyPrincipalResolver" class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> <!-- | Resolves a principal from a credential using an attribute repository that is configured to resolve | against a deployer-specific store (e.g. LDAP). --> <bean id="primaryPrincipalResolver" class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </util:map> --> <bean id="attributeRepository" class="org.jasig.cas.persondir.LdapPersonAttributeDao" p:baseDN="${ldap.baseDn}" p:searchFilter="samAccountName={0}" p:searchControls-ref="searchControls" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:queryAttributeMapping-ref="queryAttributeMap" p:resultAttributeMapping-ref="resultAttributeMap" /> <util:map id="queryAttributeMap"> <entry key="username" value="sAMAccountName" /> </util:map> <util:map id="resultAttributeMap"> <entry key="samAccountName" value="userName" /> <entry key="cn" value="Student ID" /> <entry key="givenName" value="First Name" /> <entry key="sn" value="Last Name" /> <entry key="mail" value="email" /> <entry key="displayName" value="displayName" /> </util:map> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao".--> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" p:registeredServices-ref="registeredServicesList" /> <!-- <bean id="serviceRegistryDao" class="org.jasig.cas.adaptors.ldap.services.LdapServiceRegistryDao" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:ldapServiceMapper-ref="ldapMapper" /> <bean id="ldapMapper" class="org.jasig.cas.adaptors.ldap.services.DefaultLdapServiceMapper"/> <bean id="searchRequest" class="org.ldaptive.SearchRequest"> <property name="baseDn" value="dc=root,dc=njcu" /> <property name="searchFilter" value="sAMAccountName={0}" /> </bean>--> <util:list id="registeredServicesList"> <bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols" p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" /> <!-- <util:list id="registeredServicesList"> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name ="id" value="0" /> <property name="name" value = "HTTP and IMAP" /> <property name="description" value = "Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> <property name="allowedAttributes"> <list> <value>userName</value> <value>Student ID</value> <value>First Name</value> <value>Last Name</value> <value>email</value> <value>employeeID</value> </list> </property> </bean> Use the following definition instead of the above to further restrict access to services within your domain (including sub domains). Note that example.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=UKQSrAMbsRJ5U3ipQQiyD07KEu7Nmp_8gytArJqQuzY&e=> must be replaced with the domain you wish to permit. This example also demonstrates the configuration of an attribute filter that only allows for attributes whose length is 3. <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="All Websites" /> <property name="description" value="Allows HTTP(S) sites" /> <property name="serviceId" value="^(https?)://.*" /> <property name="evaluationOrder" value="0" /> <property name="attributeFilter"> <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" c:regex="^\w{3}$" /> </property> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="AwardSpring" /> <property name="description" value="Your HTTP Service" /> <property name="serviceId" value="https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=>" /> <property name="allowedAttributes"> <list> <value>userName</value> <value>Student ID</value> <value>First Name</value> <value>Last Name</value> <value>email</value> <value>employeeID</value> </list> </property> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="1" /> <property name="name" value="EAB" /> <property name="description" value="Your HTTP Service" /> <property name="serviceId" value="https://sscimpl.advisory.com/gsrc/SSO/njcu<https://urldefense.proofpoint.com/v2/url?u=https-3A__sscimpl.advisory.com_gsrc_SSO_njcu&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=DhFrbcbLGqaRWEfBKIthpQgzMuQXgMEN6VwJRJAwg3w&e=>" /> <property name="allowedAttributes"> <list> <value>userName</value> <value>Student ID</value> <value>First Name</value> <value>Last Name</value> <value>email</value> <value>employeeID</value> </list> </property> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="2" /> <property name="name" value="CBORD" /> <property name="description" value="GET FUNDS" /> <property name="serviceId" value="https://get.cbord.com/njcu/full/login.php<https://urldefense.proofpoint.com/v2/url?u=https-3A__get.cbord.com_njcu_full_login.php&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=SACY8jI26VNOyEZDMN7ERNlREM9K5BmLPNt3GUhUoKk&e=>" /> <property name="allowedAttributes"> <list> <value>userName</value> <value>Student ID</value> <value>First Name</value> <value>Last Name</value> <value>email</value> <value>employeeID</value> </list> </property> </bean> --> </util:list> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> <util:list id="monitorsList"> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <!-- NOTE The following ticket registries support SessionMonitor: * DefaultTicketRegistry * JpaTicketRegistry Remove this monitor if you use an unsupported registry. --> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </util:list> <!-- Cirwin - Add Attribute release bean <context:component-scan base-package="org.jasig.cas" /> <context:annotation-config /> --> <bean id="ldapPersonAttributeDao" class="org.jasig.cas.persondir.LdapPersonAttributeDao" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:baseDN="${ldap.baseDn}" p:searchControls-ref="searchControls" p:searchFilter="samAccountName={0}"> <property name="queryAttributeMapping"> <map> <entry key="username" value="samAccountName" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="samAccountName" value="userName" /> <entry key="cn" value="Student ID" /> <entry key="givenName" value="First Name" /> <entry key="sn" value="Last Name" /> <entry key="mail" value="email" /> <entry key="displayName" value="displayName" /> <entry key="employeeID" value="employeeID" /> </map> </property> </bean> <bean id="searchControls" class="javax.naming.directory.SearchControls" p:searchScope="2" p:countLimit="10" /> <!-- INSERT CONNECTION CONFIGURATIONS HERE --> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="samAccountName" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <!-- | This map provides a simple attribute resolution mechanism. | Keys are LDAP attribute names, values are CAS attribute names. | Use this facility instead of a PrincipalResolver if LDAP is | the only attribute source. --> <entry key="samAccountName" value="userName" /> <entry key="cn" value="Student ID" /> <entry key="givenName" value="First Name" /> <entry key="sn" value="Last Name" /> <entry key="mail" value="email" /> <entry key="displayName" value="displayName" /> <entry key="employeeID" value="employeeID" /> </map> </property> </bean> <bean id="authenticator" class="org.ldaptive.auth.Authenticator" c:resolver-ref="dnResolver" c:handler-ref="authHandler" /> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver" p:baseDn="${ldap.baseDn}" p:subtreeSearch="true" p:allowMultipleDns="false" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:userFilter="${ldap.authn.searchFilter}" /> <bean id="searchPooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="searchConnectionPool" /> <bean id="searchConnectionPool" parent="abstractConnectionPool" p:connectionFactory-ref="searchConnectionFactory" /> <bean id="searchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="searchConnectionConfig" /> <bean id="searchConnectionConfig" parent="abstractConnectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="[email protected]<mailto:[email protected]>"> <property name="bindCredential"> <bean class="org.ldaptive.Credential" c:password="${ldap.authn.managerPassword}" /> </property> </bean> <bean id="abstractConnectionPool" abstract="true" class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:poolConfig-ref="ldapPoolConfig" p:blockWaitTime="${ldap.pool.blockWaitTime}" p:validator-ref="searchValidator" p:pruneStrategy-ref="pruneStrategy" /> <bean id="abstractConnectionConfig" abstract="true" class="org.ldaptive.ConnectionConfig" p:ldapUrl="${ldap.url}" p:connectTimeout="${ldap.connectTimeout}" p:useStartTLS="${ldap.useStartTLS}" p:sslConfig-ref="sslConfig" /> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" p:minPoolSize="${ldap.pool.minSize}" p:maxPoolSize="${ldap.pool.maxSize}" p:validateOnCheckOut="${ldap.pool.validateOnCheckout}" p:validatePeriodically="${ldap.pool.validatePeriodically}" p:validatePeriod="${ldap.pool.validatePeriod}" /> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> <property name="credentialConfig"> <bean class="org.ldaptive.ssl.X509CredentialConfig" p:trustCertificates="${ldap.trustedCert}" /> </property> </bean> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" p:prunePeriod="${ldap.pool.prunePeriod}" p:idleTime="${ldap.pool.idleTime}" /> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledLdapConnectionFactory" /> <bean id="bindPooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" /> <bean id="bindConnectionPool" parent="abstractConnectionPool" p:connectionFactory-ref="bindConnectionFactory" /> <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" /> <bean id="bindConnectionConfig" parent="abstractConnectionConfig" /> </beans> -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=oADQdi9jXGPIOwequY8-uszH06RlgZ_dy7mIryMTw40&e=> -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=oADQdi9jXGPIOwequY8-uszH06RlgZ_dy7mIryMTw40&e=> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
