SEC-1228: Create UserDetailsService for CAS That Leverages SAML-based Attribute Release #1463

Closed
spring-issuemaster opened this Issue Aug 24, 2009 · 13 comments

1 participant

@spring-issuemaster

Marvin S. Addison (Migrated from SEC-1228) said:

Now that CAS supports attribute release in the service ticket validation response via the SAML 1.1 protocol, it should be straightforward to provide a UserDetailsService for CAS that can map attributes onto roles and other user information needed by applications that use Spring Security.

@spring-issuemaster

Fabio Canepa said:

I'm trying to implement this feature and I want to share my experiment
In order to retrieve SAML assertion I've subclassed CasAuthenticationProvide overrind loadUserByAssertion:

public class MyCasAuthenticationProvider extends CasAuthenticationProvider {

protected final Log log = LogFactory.getLog(getClass());


@Override
protected UserDetails loadUserByAssertion(Assertion assertion) {


    AttributePrincipal principal = assertion.getPrincipal();

    Map attributes = principal.getAttributes();
    Iterator attributeNames = attributes.keySet().iterator();
    for (; attributeNames.hasNext();) {
        String attributeName = (String) attributeNames.next();
        Object attributeValue = attributes.get(attributeName);
        log.debug("Found attribue " + attributeName + "  = " + attributeValue);
    }

    UserDetails user = super.loadUserByAssertion(assertion);

    return new MyUser(user.getUsername(), user.getPassword(), user.isEnabled(), user.getAuthorities(),attributes.get("firstName").toString(),attributes.get("email").toString());

}

}

Where MyUser it's subclass of org.springframework.security.userdetails.User which contains fields for firstName and email.
But now how should I configure userDetailService in my application context ?

<!-- -->









@spring-issuemaster

Luke Taylor said:

Setting 3.1 as the fix date. Feel free to change if you manage to do it earlier Scott :).

@spring-issuemaster

Scott Battaglia said:

Moved this back because we might have some stuff in by the next RC!

@spring-issuemaster

Scott Battaglia said:

I've added an AuthenticationUserDetailsService that given an Assertion and a list of attributes, will construct a new UserDetails using the attribute's values as GrantedAuthorities. Do we want any other types of AuthenticationUserDetailsServices?

I also have an abstract class so that creating your own to read an assertion should be relatively easy.

@spring-issuemaster

Luke Taylor said:

I guess the purpose of attributes may vary a lot, so we should probably just let people provide their custom implementation if they want anything more than a set of authorities.

@spring-issuemaster

Scott Battaglia said:

Okay then this is done except for some test cases. I'll see if I can do that soon.

@spring-issuemaster

Dominique Arnou said:

Hello, I get the following error:

Problem accessing /cas-sample/j_spring_cas_security_check. Reason:

The provided token MUST be an instance of CasAuthenticationToken.classObject...

How do I set this token in my context?



Cheers,

Dominique

@spring-issuemaster

Scott Battaglia said:

Can you send me the complete stack trace? I'll take a look.

@spring-issuemaster

Dominique Arnou said:

Good evening,

To begin, the webapp-sample case is provided in your source repository.

I have provided an extract file applicationContext-security.xml : I just changed the property userDetailsService in authenticationUserDetailsService, and created a bean GrantedAuthorityFromAssertionAttributesUserDetailsService.

The trace spring-security-cas-client.log and a copy of the stacktrace displayed are also provided

Best regards,

Dominique

Sorry for my English translated

@spring-issuemaster

Scott Battaglia said:

Can you try it out now. I had a typo in the Assert call.

@spring-issuemaster

Dominique Arnou said:

Hi, the fix works, but a new error occurred:

Line 73 invokes the method GrantedAuthorityFromAssertionAttributesUserDetailsService.java User (assertion.getPrincipal (). GetName (),...), but a 500 error occurs:

HTTP ERROR 500

Problem accessing /cas-sample/j_spring_cas_security_check. Reason:

Cannot pass null or empty values to constructor

Caused by:

java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor
at org.springframework.security.core.userdetails.User.(User.java:87)
at org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService.loadUserDetails(GrantedAuthorityFromAssertionAttributesUserDetailsService.java:73)
at org.springframework.security.cas.userdetails.AbstractCasAssertionUserDetailsService.loadUserDetails(AbstractCasAssertionUserDetailsService.java:37)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.loadUserByAssertion(CasAuthenticationProvider.java:150)
...

@spring-issuemaster

Scott Battaglia said:

I wonder if its because there are no values for the attributes? I can take a look tomorrow. Are you returning any attributes?

Cheers,
Scott

@spring-issuemaster

Scott Battaglia said:

Just realized that we were passing in NULL as the password which is not allowed. Fixed that, so try it out now.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment