Jasig CAS 3.6 - 无法将属性添加到身份验证响应
Jasig CAS 3.6 - unable to add attributes to authentication response
身份验证工作正常,通过票证 ID,我还从客户端获得了用户名。为了检索参数,我使用下面的脚本。我尝试了几种不同的方法,但没有成功。我总是得到用户名,仅此而已。有任何想法吗?如何添加新参数?有从 SQL 和 LDAP 加载数据并将它们添加到属性列表的示例,但其中 none 有效。所以可能是我的初始设置。我要添加的信息既不是来自数据库也不是来自 LDAP,我想添加我通过身份验证收到的完全自定义的信息(使用的通道转发它)。所以它应该是添加的自定义属性或类似的东西。初始代码在下面 -> 不尝试在那里添加属性,只是简单干净的代码,只是进行身份验证。
整个配置如下。我可能完全错过了一些东西......
因此,如果您有关于如何为服务客户端向 saml 响应消息添加附加参数的想法或示例,我将不胜感激 :)
protected UserDetails loadUserDetails(Assertion assertion) {
ArrayList grantedAuthorities = new ArrayList();
String[] arr$ = this.attributes;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
String attribute = arr$[i$];
Object value = assertion.getPrincipal().getAttributes().get(attribute);
if(value != null) {
if(value instanceof List) {
List list = (List)value;
Iterator i = list.iterator();
while(i.hasNext()) {
Object o = i.next();
grantedAuthorities.add(new SimpleGrantedAuthority(this.convertToUpperCase?o.toString().toUpperCase():o.toString()));
}
} else {
grantedAuthorities.add(new SimpleGrantedAuthority(this.convertToUpperCase?value.toString().toUpperCase():value.toString()));
}
}
}
return new User(assertion.getPrincipal().getName(), "NO_PASSWORD", true, true, true, true, grantedAuthorities);
}
deployerConfigContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
...
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"/>
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean id="adPrincipalResolver" class="ee.qubova.cas.security.ad.ADPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository"/>
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="ee.qubova.cas.security.CustomAuthenticationHandler">
</bean>
</list>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="test" password="test" authorities="ROLE_ADMIN"/>
</sec:user-service>
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0"/>
<property name="name" value="HTTP"/>
<property name="description" value="Only Allows HTTP Urls"/>
<property name="serviceId" value="http://**"/>
<property name="evaluationOrder" value="10000001"/>
<property name="allowedAttributes">
<list>
<value>username</value>
<value>password</value>
<value>idCode</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager"/>
<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
<property name="monitors">
<list>
<bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10"/>
<bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000"/>
</list>
</property>
</bean>
<bean id="utils" class="ee.qubova.cas.utils.Utils">
<property name="trustedIssuerDnPattern" value=".*"/>
</bean>
<bean id="idCardLoginController" class="ee.qubova.cas.security.idcard.X509Controller">
<property name="centralAuthenticationService" ref="centralAuthenticationService"/>
<property name="cookieGenerator" ref="ticketGrantingTicketCookieGenerator"/>
<property name="argumentExtractors" ref="argumentExtractors"/>
<property name="utils" ref="utils"/>
</bean>
<bean id="adLoginController" class="ee.qubova.cas.security.ad.ADLoginController">
<property name="centralAuthenticationService" ref="centralAuthenticationService"/>
<property name="cookieGenerator" ref="ticketGrantingTicketCookieGenerator"/>
<property name="argumentExtractors" ref="argumentExtractors"/>
<property name="utils" ref="utils"/>
</bean>
public class ADPrincipalResolver extends AbstractPersonDirectoryCredentialsToPrincipalResolver {
protected String extractPrincipalId(final Credentials credentials) {
final ADCredentials adCredentials = (ADCredentials) credentials;
return adCredentials.getIdCode();
}
public boolean supports(final Credentials credentials) {
return credentials != null && ADCredentials.class.isAssignableFrom(credentials.getClass());
}
}
public class ADCredentials extends AbstractCASUserProfile {
private String username;
private String password;
public ADCredentials(String idCode, String username, String password) {
super.setIdCode(idCode);
this.username = username;
this.password = password;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
public class CustomAuthenticationHandler implements AuthenticationHandler {
public boolean authenticate(Credentials credentials) throws AuthenticationException {
if (credentials == null) {
return false;
}
if (credentials instanceof ADCredentials) {
ADCredentials c = (ADCredentials) credentials;
if (StringUtils.hasLength(c.getIdCode())) {
return true;
}
}
return false;
}
public boolean supports(Credentials credentials) {
return credentials != null
&& credentials instanceof ADCredentials;
}
}
而在 cas-servlet.xml
<bean
id="handlerMappingC"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="/adlogin">adLoginController</prop>
CAS3默认不释放属性。它仅通过 samlValidate 这样做。如果您使用的是 serviceValidate,则需要修改生成最终 CAS 响应的 JSP 文件并手动向其添加属性。参见 https://wiki.jasig.org/display/casum/attributes
请注意,CAS3 已停产。 CAS 的未来版本会自动执行此操作。
身份验证工作正常,通过票证 ID,我还从客户端获得了用户名。为了检索参数,我使用下面的脚本。我尝试了几种不同的方法,但没有成功。我总是得到用户名,仅此而已。有任何想法吗?如何添加新参数?有从 SQL 和 LDAP 加载数据并将它们添加到属性列表的示例,但其中 none 有效。所以可能是我的初始设置。我要添加的信息既不是来自数据库也不是来自 LDAP,我想添加我通过身份验证收到的完全自定义的信息(使用的通道转发它)。所以它应该是添加的自定义属性或类似的东西。初始代码在下面 -> 不尝试在那里添加属性,只是简单干净的代码,只是进行身份验证。
整个配置如下。我可能完全错过了一些东西...... 因此,如果您有关于如何为服务客户端向 saml 响应消息添加附加参数的想法或示例,我将不胜感激 :)
protected UserDetails loadUserDetails(Assertion assertion) {
ArrayList grantedAuthorities = new ArrayList();
String[] arr$ = this.attributes;
int len$ = arr$.length;
for(int i$ = 0; i$ < len$; ++i$) {
String attribute = arr$[i$];
Object value = assertion.getPrincipal().getAttributes().get(attribute);
if(value != null) {
if(value instanceof List) {
List list = (List)value;
Iterator i = list.iterator();
while(i.hasNext()) {
Object o = i.next();
grantedAuthorities.add(new SimpleGrantedAuthority(this.convertToUpperCase?o.toString().toUpperCase():o.toString()));
}
} else {
grantedAuthorities.add(new SimpleGrantedAuthority(this.convertToUpperCase?value.toString().toUpperCase():value.toString()));
}
}
}
return new User(assertion.getPrincipal().getName(), "NO_PASSWORD", true, true, true, true, grantedAuthorities);
}
deployerConfigContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
...
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"/>
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean id="adPrincipalResolver" class="ee.qubova.cas.security.ad.ADPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository"/>
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="ee.qubova.cas.security.CustomAuthenticationHandler">
</bean>
</list>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="test" password="test" authorities="ROLE_ADMIN"/>
</sec:user-service>
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0"/>
<property name="name" value="HTTP"/>
<property name="description" value="Only Allows HTTP Urls"/>
<property name="serviceId" value="http://**"/>
<property name="evaluationOrder" value="10000001"/>
<property name="allowedAttributes">
<list>
<value>username</value>
<value>password</value>
<value>idCode</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager"/>
<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
<property name="monitors">
<list>
<bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10"/>
<bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000"/>
</list>
</property>
</bean>
<bean id="utils" class="ee.qubova.cas.utils.Utils">
<property name="trustedIssuerDnPattern" value=".*"/>
</bean>
<bean id="idCardLoginController" class="ee.qubova.cas.security.idcard.X509Controller">
<property name="centralAuthenticationService" ref="centralAuthenticationService"/>
<property name="cookieGenerator" ref="ticketGrantingTicketCookieGenerator"/>
<property name="argumentExtractors" ref="argumentExtractors"/>
<property name="utils" ref="utils"/>
</bean>
<bean id="adLoginController" class="ee.qubova.cas.security.ad.ADLoginController">
<property name="centralAuthenticationService" ref="centralAuthenticationService"/>
<property name="cookieGenerator" ref="ticketGrantingTicketCookieGenerator"/>
<property name="argumentExtractors" ref="argumentExtractors"/>
<property name="utils" ref="utils"/>
</bean>
public class ADPrincipalResolver extends AbstractPersonDirectoryCredentialsToPrincipalResolver {
protected String extractPrincipalId(final Credentials credentials) {
final ADCredentials adCredentials = (ADCredentials) credentials;
return adCredentials.getIdCode();
}
public boolean supports(final Credentials credentials) {
return credentials != null && ADCredentials.class.isAssignableFrom(credentials.getClass());
}
}
public class ADCredentials extends AbstractCASUserProfile {
private String username;
private String password;
public ADCredentials(String idCode, String username, String password) {
super.setIdCode(idCode);
this.username = username;
this.password = password;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
public class CustomAuthenticationHandler implements AuthenticationHandler {
public boolean authenticate(Credentials credentials) throws AuthenticationException {
if (credentials == null) {
return false;
}
if (credentials instanceof ADCredentials) {
ADCredentials c = (ADCredentials) credentials;
if (StringUtils.hasLength(c.getIdCode())) {
return true;
}
}
return false;
}
public boolean supports(Credentials credentials) {
return credentials != null
&& credentials instanceof ADCredentials;
}
}
而在 cas-servlet.xml
<bean
id="handlerMappingC"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="/adlogin">adLoginController</prop>
CAS3默认不释放属性。它仅通过 samlValidate 这样做。如果您使用的是 serviceValidate,则需要修改生成最终 CAS 响应的 JSP 文件并手动向其添加属性。参见 https://wiki.jasig.org/display/casum/attributes
请注意,CAS3 已停产。 CAS 的未来版本会自动执行此操作。