wsfederation中的CAS属性未转发到CAS客户端

Question

我正在为使用CAS对ADFS进行身份验证的Tomcat Web应用程序实现身份验证系统。我正在使用unicon的CAS server with ADFS integration。

我已经到达了可以看到所需属性到达CAS服务器的状态。但是这些属性不会转发给客户端。检查下图：

在上图中，身份验证后属性映射为空。此外，当客户端应用程序验证票证时，属性映射为空。参考图片如下：

经过身份验证后，属性在日志中可见，但它们未加载到属性Map中。

deployerConfigContext.xml如下所示。 serviceRegistryDao bean中的attributeRepository bean和allowed attributes属性可能是主要关注区域。

<?xml version="1.0" encoding="UTF-8"?>


<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <bean id="authenticationManager"
        class="org.jasig.cas.authentication.AuthenticationManagerImpl">

        <property name="authenticationMetaDataPopulators">
           <list>
              <bean class="net.unicon.cas.support.wsfederation.authentication.WsFederationAuthenticationMetaDataPopulator" />
           </list>
        </property>
        <property name="credentialsToPrincipalResolvers">
            <list>
            <bean class="net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver">
                <property name="configuration" ref="wsFedConfig" />
            </bean>
            <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
                <property name="attributeRepository" ref="attributeRepository" />
            </bean>
            <bean       class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
            </list>         
        </property>

        <property name="authenticationHandlers">
            <list>
            <bean class="net.unicon.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler" />
            <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
                p:httpClient-ref="httpClient" />
            </list>
        </property>
    </bean>

    <sec:user-service id="userDetailsService">
        <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
    </sec:user-service>

    <bean id="attributeRepository"
        class="org.jasig.services.persondir.support.StubPersonAttributeDao">
        <property name="backingMap">
            <map>
                <entry key="emailaddress" value="upn" />
                <!--<entry key="FirstName" value="username" />-->
                <entry key="name" value="LastName" />
                <entry key="costcent" value="costcent" />
                <entry key="title" value="FirstName" />
            </map>
        </property>
    </bean>

    <bean
        id="serviceRegistryDao"
        class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
            <property name="registeredServices">
                <list>
                    <bean class="org.jasig.cas.services.RegexRegisteredService">
                        <property name="id" value="0" />
                        <property name="name" value="HTTP and IMAP" />
                        <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
                        <property name="serviceId" value="^(https?|imaps?)://.*" />
                        <property name="evaluationOrder" value="10000001" />
                        <property name="allowedAttributes">
                        <list>
            <value>upn</value>
            <value>Department</value>
            <value>costcent</value>
            <value>LastName</value>
            <value>FirstName</value>
            <value>name</value>
            <value>emailaddress</value>
            <value>title</value>
            <value>SAM-Account-Name</value>

                        </list>
                    </property>
                    </bean>

                </list>
            </property>
        </bean>

  <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

  <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
    <property name="monitors">
      <list>
        <bean class="org.jasig.cas.monitor.MemoryMonitor"
            p:freeMemoryWarnThreshold="10" />
        <bean class="org.jasig.cas.monitor.SessionMonitor"
            p:ticketRegistry-ref="ticketRegistry"
            p:serviceTicketCountWarnThreshold="5000"
            p:sessionCountWarnThreshold="100000" />
      </list>
    </property>
  </bean>
</beans>

at CAS服务器的其余部分与unicon CAS服务器实现的示例实现相同here

我在提到的bean中尝试了很多组合。作为Spring的新手，我无法理解如何在attributeMap中加载凭据。请指导我将身份验证期间CAS服务器发送的属性转发给客户端应用程序。

Answer 1

看起来WsFederationCredentialsToPrincipalResolver仅从收到的属性集合中提取主体ID，并忽略其他属性。因此，您只能获得配置中定义的identity属性。您可以暂时将该解析器连接到您的属性存储库，并让它从那里使用和检索属性。

请注意，CAS 4.2支持并修复了此行为，并且内置了对ADFS集成的支持。您的另一个选择是扩展WsFederationCredentialsToPrincipalResolver并让它处理属性并通过覆盖适当的方法将它们填充到在那里创建的最终主体中。