AuthenticationHandler-to-PrincipalResolver AuthenticationManager

 

New CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

This authentication manager ensures that all authentication handlers are tried, but if one is tried and is successful, the associated CredentialsToPrincipalResolver is used. 

Note: You may also specify and link different attribute repository stored for each resolver. CAS still expects an attributeRepository spring bean to be defined. (See cas-servlet.xml for more info) So if you wish to specify multiple repositories for each resolver, you should consider using the Person Directory API to merge all attribute stores into one. 

Sample Configuration

The configuration below passes a constructed map to the authentication manager. This map specifies how authentication handlers and resolvers are linked to each other.

Authentication Manager
<bean id="authenticationManager" class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager">
    <constructor-arg name="linkedHandlers" ref="authenticationHandlersAndPrincipalResolversMap" />
</bean>

The configuration of the map itself is given below:

  <util:map id="authenticationHandlersAndPrincipalResolversMap">
      <entry key-ref="httpBasedAuthenticationHandler">
          <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
      </entry>
      
      <entry key-ref="ldapBindAuthenticationHandler">
          <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
            <property name="attributeRepository" ref="bindLdapAttributeRepository"/>	
          </bean>
      </entry>
      
      <entry key-ref="ldapFastBindAuthenticationHandler">
          <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
            <property name="attributeRepository" ref="fastBindLdapAttributeRepository"/>	
          </bean>
      </entry>
  </util:map>

The above configuration uses two flavors of the ldap authentication handler allong with an instance of the HttpBased authentication handler. Each of the ldap authentication handlers are linked to their own repository store for attribute retrieval. (bindLdapAttributeRepositoryfastBindLdapAttributeRepository). To learn how each attribute repository may be configured, please visit this page

Merging Attribute Repository

Once all attribute repositories are configured, they may be merged together to form the global attributeRepository bean through the sample configuration below:

  <bean id="attributeRepository" class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl">
    <property name="personAttributeDaos">
        <list>
            <ref bean="bindLdapAttributeRepository" />
            <ref bean="fastBindLdapAttributeRepository" />
        </list>
    </property>
  </bean>