Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1228: Create UserDetailsService for CAS That Leverages SAML-based Attribute Release #1463

spring-issuemaster opened this Issue Aug 24, 2009 · 13 comments


None yet
1 participant

Marvin S. Addison (Migrated from SEC-1228) said:

Now that CAS supports attribute release in the service ticket validation response via the SAML 1.1 protocol, it should be straightforward to provide a UserDetailsService for CAS that can map attributes onto roles and other user information needed by applications that use Spring Security.

Fabio Canepa said:

I'm trying to implement this feature and I want to share my experiment
In order to retrieve SAML assertion I've subclassed CasAuthenticationProvide overrind loadUserByAssertion:

public class MyCasAuthenticationProvider extends CasAuthenticationProvider {

protected final Log log = LogFactory.getLog(getClass());

protected UserDetails loadUserByAssertion(Assertion assertion) {

    AttributePrincipal principal = assertion.getPrincipal();

    Map attributes = principal.getAttributes();
    Iterator attributeNames = attributes.keySet().iterator();
    for (; attributeNames.hasNext();) {
        String attributeName = (String) attributeNames.next();
        Object attributeValue = attributes.get(attributeName);
        log.debug("Found attribue " + attributeName + "  = " + attributeValue);

    UserDetails user = super.loadUserByAssertion(assertion);

    return new MyUser(user.getUsername(), user.getPassword(), user.isEnabled(), user.getAuthorities(),attributes.get("firstName").toString(),attributes.get("email").toString());



Where MyUser it's subclass of org.springframework.security.userdetails.User which contains fields for firstName and email.
But now how should I configure userDetailService in my application context ?

<sec:custom-authentication-provider />

Luke Taylor said:

Setting 3.1 as the fix date. Feel free to change if you manage to do it earlier Scott :).

Scott Battaglia said:

Moved this back because we might have some stuff in by the next RC!

Scott Battaglia said:

I've added an AuthenticationUserDetailsService that given an Assertion and a list of attributes, will construct a new UserDetails using the attribute's values as GrantedAuthorities. Do we want any other types of AuthenticationUserDetailsServices?

I also have an abstract class so that creating your own to read an assertion should be relatively easy.

Luke Taylor said:

I guess the purpose of attributes may vary a lot, so we should probably just let people provide their custom implementation if they want anything more than a set of authorities.

Scott Battaglia said:

Okay then this is done except for some test cases. I'll see if I can do that soon.

Dominique Arnou said:

Hello, I get the following error:

Problem accessing /cas-sample/j_spring_cas_security_check. Reason:

The provided token MUST be an instance of CasAuthenticationToken.classObject...

How do I set this token in my context?



Scott Battaglia said:

Can you send me the complete stack trace? I'll take a look.

Dominique Arnou said:

Good evening,

To begin, the webapp-sample case is provided in your source repository.

I have provided an extract file applicationContext-security.xml : I just changed the property userDetailsService in authenticationUserDetailsService, and created a bean GrantedAuthorityFromAssertionAttributesUserDetailsService.

The trace spring-security-cas-client.log and a copy of the stacktrace displayed are also provided

Best regards,


Sorry for my English translated

Scott Battaglia said:

Can you try it out now. I had a typo in the Assert call.

Dominique Arnou said:

Hi, the fix works, but a new error occurred:

Line 73 invokes the method GrantedAuthorityFromAssertionAttributesUserDetailsService.java User (assertion.getPrincipal (). GetName (),...), but a 500 error occurs:


Problem accessing /cas-sample/j_spring_cas_security_check. Reason:

Cannot pass null or empty values to constructor

Caused by:

java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor
at org.springframework.security.core.userdetails.User.(User.java:87)
at org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService.loadUserDetails(GrantedAuthorityFromAssertionAttributesUserDetailsService.java:73)
at org.springframework.security.cas.userdetails.AbstractCasAssertionUserDetailsService.loadUserDetails(AbstractCasAssertionUserDetailsService.java:37)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.loadUserByAssertion(CasAuthenticationProvider.java:150)

Scott Battaglia said:

I wonder if its because there are no values for the attributes? I can take a look tomorrow. Are you returning any attributes?


Scott Battaglia said:

Just realized that we were passing in NULL as the password which is not allowed. Fixed that, so try it out now.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment