HOWTO utilize javax.servlet.http.HttpServletRequest isUserInRole( java.lang.String role )

Hopefully these notes will evolve into a more formal tutorial.

This example assumes user roles are stored in a database like so:

mysql> select * from VW_USER_ROLES;
+----+-----------+---------------+
| ID | LOGINNAME | ROLENAME      |
+----+-----------+---------------+
|  1 | me        | DEBUG         |
|  1 | me        | Super User    |
+----+-----------+---------------+

Currently works with SAML 1.1 from jasig or by utilizing

            server add-on https://github.com/Unicon/cas-addons/wiki/Configuring-JSON-Validation-Response   ( server version 3.5.1 and above )

            and client add-on https://github.com/Unicon/cas-java-clients-addons ( client version 3.2.1 )

(for CAS 2.0 see http://www.ja-sig.org/issues/browse/CAS-655).

• Client Mods

• • dependencies

    <dependency>
      <groupId>org.apache.santuario</groupId>
      <artifactId>xmlsec</artifactId>
      <version>1.4.5</version>
    </dependency>
    
    <dependency>
      <groupId>org.opensaml</groupId>
      <artifactId>opensaml</artifactId>
      <version>1.1b</version>
    </dependency>
    

  • org.jasig.cas.client.authentication.Saml11AuthenticationFilter
  • org.jasig.cas.client.validation.Saml11TicketValidationFilter
  • org.jasig.cas.client.util.HttpServletRequestWrapperFilter

  • Add init-param to HttpServletRequestWrapperFilter :

    <param-name>roleAttribute</param-name>
    <param-value>USER_ROLE</param-value>
    

• Server Mods

  On deployerConfigContext.xml add :

  <bean id="multiRowJdbcPersonAttributeDao" class="org.jasig.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao">
     <constructor-arg index="0" ref="dataSource" />
     <constructor-arg index="1" value="select LOGINNAME, 'USER_ROLE' as attr_name, ROLENAME FROM VW_USER_ROLES WHERE {0}" />
     <property name="nameValueColumnMappings">
         <map>
            <entry key="attr_name" value="ROLENAME" />
         </map>
     </property>
     <property name="queryAttributeMapping">
         <map>
           <entry key="username" value="LOGINNAME" />
        </map>
     </property>
  </bean>
  
   
  ...
   
  <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
  	<property name="credentialsToPrincipalResolvers">
  		<list>
  			<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
  				<property name="attributeRepository" ref="multiRowJdbcPersonAttributeDao"/>
  			</bean>
  ...

• Runtime changes
  • in Services Management i.e. /cas/services/ Edit service to 'Ignore Attribute Management via this Tool'
    
    
    

  If you are using InMemoryServiceRegistryDaoImpl as serviceRegistryDao (default config), a way to avoid to edit services at each restart of cas-server is to add a property to the corresponding service in deployerConfigContext.xml :

  <bean class="org.jasig.cas.services.RegisteredServiceImpl">
  ...
    <property name="allowedAttributes">
      <list>
          <value>USER_ROLE</value>
      </list>
   </property>
  ...