Custom Bean for Authentication Policy - Conflict with obtain more parameters than just ticket - return more attributes cas jasig

Question

I'm configuring CAS v4.1.1 and I'm trying to return a Map of Parameters, (plus to the ticket) on the response to a Client phpCAS, of a "Custom Bean" (that I design based on the bean org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler of the subproject cas-server-support-jdbc) to authenticate, used as "primaryPrincipalResolver" for the "authenticationManager" bean used on my deployerConfigContext.xml

My configuration of deployerConfigContext.xml Looks like something like this:

<beans xmlns="http://www.springframework.org/schema/beans"
...
... />


<bean id="authenticationManager"
 class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
 <constructor-arg>
 <map>
 <!-- | IMPORTANT | Every handler requires a unique name. | If more than 
 one instance of the same handler class is configured, you must explicitly 
 | set its name to something other than its default name (typically the simple 
 class name). -->
 <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
  <!-- Beans de autenticación:
  Aquí se enlistan los beans que serán usados para la autenticación. Dependiendo del orden
  En que se agreguen, se dará prioridad al método de autenticación que describa el bean. -->
  <entry key-ref="SearchDatabaseAuthenticationMovilred" value-ref="primaryPrincipalResolver" />
  </map>
 </constructor-arg>
 <!-- | Defines the security policy around authentication. Some alternative 
 policies that ship with CAS: | | * NotPreventedAuthenticationPolicy - all  
 credential must either pass or fail authentication | * AllAuthenticationPolicy 
 - all presented credential must be authenticated successfully | * RequiredHandlerAuthenticationPolicy 
 - specifies a handler that must authenticate its credential to pass -->
 <property name="authenticationPolicy">
 <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
 </property>
 </bean>
...
....
<bean id="SearchDatabaseAuthenticationMovilred"
 class="com.solidda.cas.jdbc.SearchDatabaseAuthenticationMovilred">
 <property name="urlService">
   <value> { SOME URL THAT I USE TO POINT TO A SERVICE THAT RETURN A MAP OF DATA } </value>
 </property>
 <property name="dataSource" ref="dataSource" />
 </bean>
...
<!-- Required for proxy ticket mechanism -->
 <bean id="proxyPrincipalResolver"
 class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
 <!-- | Resolves a principal from a credential using an attribute repository 
 that is configured to resolve | against a deployer-specific store (e.g. LDAP). -->
 <bean id="primaryPrincipalResolver"
 class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
 p:principalFactory-ref="principalFactory" p:attributeRepository-ref="attributeRepository" />
 <!-- Bean that defines the attributes that a service may return. This example 
 uses the Stub/Mock version. A real implementation may go against a database 
 or LDAP server. The id should remain "attributeRepository" though. + -->
 <bean id="attributeRepository"
 class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
 p:backingMap-ref="attrRepoBackingMap" />
 <util:map id="attrRepoBackingMap">
 <entry key="uid" value="uid" />
 <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
 <entry key="groupMembership" value="groupMembership" />
 <entry>
 <key>
 <value>memberOf</value>
 </key>
 <list>
 <value>faculty</value>
 <value>staff</value>
 <value>org</value>
 </list>
 </entry>
 </util:map>

....

And this is something like looks the code of the "custom bean" that I create:

...

public class SearchDatabaseAuthenticationMovilred extends
        AbstractJdbcUsernamePasswordAuthenticationHandler {


    @NotNull
    private String urlService;


    /**
     * {@inheritDoc}
     */
    @Override
    protected final HandlerResult authenticateUsernamePasswordInternal(
            final UsernamePasswordCredential credential)
            throws GeneralSecurityException, PreventedException {


        //Get the data to adquire user and password from the petition
        final String username = credential.getUsername();
        final String password = credential.getPassword();


        ....
        //Creates the petition to the method that call a POST service that returns a Map of data
        ....


        //Maps that decompose the result
        final Map<String, Object> result;
        final Map<String, Object> dataValues;


        //At the end I obtain a Map something like this object bellow



            dataValues = new HashMap<String, Object>();

            dataValues.put("data", "{\"InfoLogin\": {\"USUA_LOGIN\": "
                    + "\"USERNAME\",\"USUA_ID\": SOMEID,\"TPTE_ID\": "
                    + "TYPE,\"TERC_ID\": OTHERSOMEID}");

       //I send something like this, sending the map to the method "createPrincipal" the map of the result
        final HandlerResult a = createHandlerResult(credential,
                this.principalFactory.createPrincipal(username, dataValues), null);
        return a;
    }


....
//Some more code and stuff

And I can't obtain on the response make on the phpCAS the "dataValues" content, like "attributes" or something like that. I'm so screwed up with this, I see a lot of forums and nothing of that works for my case... Can you guys help me, please?

Greetings from Colombia.

Thank You.

-- Cristian Guerrero. A developer verge of a nervous breakdown

Answer 1

Two things: 1. If you wish to use your handler to return attributes back you should null out the corresponding principal resolver. 2. Attributes should be released to CAS clients per attribute release policy. You should list all attributes that need to be released, ie data.

Answer 2

Specifying Misagh Moayyed response,

I found the solution, based on another forum: https://groups.google.com/forum/#!msg/jasig-cas-user/N8aod-ijs90/zzHKpk-hBgAJ (And a lot of reading), the response was really frustrating.

1. You should "null-ify" the principal resolver on the deployerConfigContext.xml of your Custom Authentication Handler, something like this:

     <entry key-ref="YourCustomAuthHandler" value="#{null}" /> </map> </constructor-arg> 

   {...}

2. After, you should check your "serviceRegistry.json" that is on the path: cas-server-webapp/scr/main/resources/services. In this file you should check the attributeReleasePolicy that must contain this anotation:

   "attributeReleasePolicy" : { "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy", .... },

The second anotation is EXTREMELY IMPORTANT, because that is the policy that manage the attributes that your AuthHandler has to return. In this case you allow to return all attributes (including the custom ones).

I hope it helps. It has cost me an eye ball.

Greetings.