我正在尝试配置JASIG CAS 3.5服务器以通过SAML 1.1释放属性,如here所述。不幸的是,我所做的一切似乎都没有让它发布到我的测试应用程序中。
我首先使用默认配置(DeployerConfigContext.xml)中显示的StubPersonAttributeDao。我后来尝试设置JDBC版本并没有产生更好的结果。
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
我确保我的测试应用程序被授权使用CAS并且允许属性。
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<!-- MIS Developers -->
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="6" />
<property name="name" value="Grails run-app" />
<property name="description" value="JCC Developers can use this from any PC within the jccadmin domain." />
<property name="serviceId" value="http://.*.my.domain:8080/.*" />
<property name="evaluationOrder" value="6" />
<property name="allowedAttributes">
<list>
<value>uid</value>
<value>eduPersonAffiliation</value>
<value>groupMembership</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
在CAS服务应用程序中查看属性时会突出显示这些属性。
为了了解我的属性是否真正有效,我使用Gradle和Jetty插件创建了一个CAS testing application,以便为JASIG网站上的sample code提供内容。我的应用程序向服务器进行身份验证,然后发出SAML 1.1请求以获取属性。
我已经确认它正在发出正确的SAML请求。
https://my.test.server/cas/samlValidate?TARGET=http%3A%2F%2Fmy.local.machine%3A8080%2Fcas_tester%2F
它从我的CAS服务器收到以下响应。
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
IssueInstant="2017-02-01T14:40:35.328Z"
MajorVersion="1"
MinorVersion="1"
Recipient="http://my.local.machine:8080/cas_tester/"
ResponseID="_a0df351b1081dafe599829f406be79f5">
<Status>
<StatusCode Value="samlp:Success">
</StatusCode>
</Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_988118abbd06485ab7f1eb684639ce38"
IssueInstant="2017-02-01T14:40:35.328Z"
Issuer="localhost"
MajorVersion="1"
MinorVersion="1">
<Conditions NotBefore="2017-02-01T14:40:35.328Z"
NotOnOrAfter="2017-02-01T14:41:05.328Z">
<AudienceRestrictionCondition>
<Audience>http://my.local.machine:8080/cas_tester/</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2017-02-01T14:40:34.312Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<Subject>
<NameIdentifier>coleew01</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
</Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
无论我做什么,它都不会在响应中显示任何属性。我做错了什么?
感谢您提供任何帮助。
答案 0 :(得分:0)
事实证明问题远离属性配置。在我的credentialsToPrincipalResolvers bean中,没有引用属性解析器。
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
我将attributeRepository的引用放入UsernamePasswordCredentialsToPrincipalResolver的bean中。
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name="attributeRepository">
<ref bean="attributeRepository"/>
</property>
</bean>
然后我的属性通过了。 Deo gratias!