Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Different attributes in the casServiceValidationSuccess.jsp view

Description

We use in the casServiceValidationSuccess.jsp the attribute org.jasig.cas.authentication.AuthenticationManager.AUTHENTICATION_METHOD_ATTRIBUTE of the Authentication, which tells us the authentication method used by the user.

If the RegisteredService has the ignoredAttributes set to true, the jsp doesn't work well for us in the 3.5.2 version because the method org.jasig.cas.CentralAuthenticationServiceImpl.validateServiceTicket(String, Service) works in a different way depending on the value of registeredService.isIgnoreAttributes(). In the else block of the if (!registeredService.isIgnoreAttributes()) the attributes of the authentication are not copied and the “authenticationMethod” attribute is lost. Is there any reason for a different behavior?

I think that adding something like this as the last statement of the else block would fix the problem: “authToUse.getAttributes().putAll(authentication.getAttributes());”

Environment

None

Activity

Show:

Misagh MoayyedJanuary 8, 2014 at 11:50 AM

Few points:

  • in CAS 3.5.2, casServiceValidationSuccess.jsp does not release any attributes out. If you have this functionality, it must be a local customization to your build. The default only releases attributes under saml validation.

  • Some of the things you are doing, can be done via transformers, like altering the user id. Some of which in CAS 4 can be done via attribute filters.

  • Again, casServiceValidationSuccess in 3.5.2 does not include any attributes whatsoever, be it service or authentication. If you have this functionality working for you, it's something that is local to your build and not the default. It is however true that if you choose to ignore attributes, you'd lose authentication attributes in the below layers, (and if you were to customize the jsp to use those attributes, you'd be at a loss). This may be a bug, and I suspect it's been fixed in CAS 4. I'd encourage to try out the most recent CAS 4 release.

DiegoJanuary 8, 2014 at 11:36 AM

Thank you for the answer. I think that you didn't understand my description. I don't include this authentication attribute in the payload.

We use the authentication attributes to make decisions about the content of the payload, and I think that this information is useful to be available in the jsp to make local customizations in the war overlay and to deal with legacy authentication sources (an this information is still available depending on the configuration of the service).

For example, we have to normalize the user name with some authentication methods because the identification source gives slightly different user names for the same user in specific circumstances.

And also why the CAS has a different behavior if I don't check the isIgnoreAttributes field in the services administration application? In this case I have the authentication method avaliable in the jsp.

Misagh MoayyedJanuary 8, 2014 at 11:20 AM

Validation payload only includes attributes that are permitted by the service definition. authentication attributes are not relevant here and will not be posted back. This is by design and protocol. CAS4 however, will attempt to release some authentication attributes.

Won't Fix

Details

Assignee

Reporter

Components

Affects versions

Priority

Created January 7, 2014 at 12:41 PM
Updated January 8, 2014 at 11:50 AM
Resolved January 8, 2014 at 11:20 AM

Flag notifications