Hopefully these notes will evolve into a more formal tutorial.
This example assumes user roles are stored in a database like so:
mysql> select * from VW_USER_ROLES; +----+-----------+---------------+ | ID | LOGINNAME | ROLENAME | +----+-----------+---------------+ | 1 | me | DEBUG | | 1 | me | Super User | +----+-----------+---------------+
Currently only works with SAML 1.1
- Client Mods
dependencies
<dependency> <groupId>org.apache.santuario</groupId> <artifactId>xmlsec</artifactId> <version>1.4.5</version> </dependency> <dependency> <groupId>org.opensaml</groupId> <artifactId>opensaml</artifactId> <version>1.1b</version> </dependency>
- org.jasig.cas.client.authentication.Saml11AuthenticationFilter
- org.jasig.cas.client.validation.Saml11TicketValidationFilter
- org.jasig.cas.client.util.HttpServletRequestWrapperFilter
Add init-param to HttpServletRequestWrapperFilter :
<param-name>roleAttribute</param-name> <param-value>USER_ROLE</param-value>
Server Mods
On deployerConfigContext.xml add :
<bean id="multiRowJdbcPersonAttributeDao" class="org.jasig.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao"> <constructor-arg index="0" ref="dataSource" /> <constructor-arg index="1" value="select LOGINNAME, 'USER_ROLE' as attr_name, ROLENAME FROM VW_USER_ROLES WHERE {0}" /> <property name="nameValueColumnMappings"> <map> <entry key="attr_name" value="ROLENAME" /> </map> </property> <property name="queryAttributeMapping"> <map> <entry key="username" value="LOGINNAME" /> </map> </property> </bean> ... <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="multiRowJdbcPersonAttributeDao"/> </bean> ...
- Runtime changes
- in Services Management i.e. /cas/services/ Edit service to 'Ignore Attribute Management via this Tool'
If you are using InMemoryServiceRegistryDaoImpl as serviceRegistryDao (default config), a way to avoid to edit services at each restart of cas-server is to add a property to the corresponding service in deployerConfigContext.xml :
<bean class="org.jasig.cas.services.RegisteredServiceImpl"> ... <property name="allowedAttributes"> <list> <value>USER_ROLE</value> </list> </property> ...
- in Services Management i.e. /cas/services/ Edit service to 'Ignore Attribute Management via this Tool'