I am adding the following from the cas.log file , maybe someone can help me
understand what is missing in the default attribute release policy and why
is Person Directory not triggered:
2020-11-18 16:59:43,750 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured
multi-row JDBC attribute repository for [jdbc:oracle:thin:@//...]>
2020-11-18 16:59:43,757 DEBUG [com.zaxxer.hikari.HikariConfig] - <Driver
class oracle.jdbc.OracleDriver found in Thread context class loader
org.springframework.boot.loader.LaunchedURLClassLoader@1b604f19>
2020-11-18 16:59:43,760 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured
multi-row JDBC column mappings for [jdbc:oracle:thin:@//...] are
[{attribute_name=attribute_value}]>
2020-11-18 16:59:43,765 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured
result attribute mapping for [jdbc:oracle:thin:@//...] to be
[{inherited_group=inherited_group, role=role, userstatus=userstatus,
user_name=username, work_phone=work_phone, last_name=last_name,
active=active, middle_name=middle_name, user_id=user_id,
accessMetadata=accessMetadata, organization_id=organization_id,
phone_extension=phone_extension, first_name=first_name,
crm_user_id=crm_user_id, email=email, group=group}]>
2020-11-18 16:59:43,775 TRACE
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Final list of
attribute repositories is
[[org.apereo.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao@53e7cc08]]>
2020-11-18 16:59:43,781 TRACE
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute
repository sources are defined and available for person-directory principal
resolution chain. >
....
2020-11-18 16:59:43,971 WARN
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute
repository caching is disabled>
2020-11-18 16:59:43,975 TRACE
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured
merging strategy for attribute sources is [multivalued]>
2020-11-18 16:59:43,979 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured
attribute repository sources to merge together: [[AMS]]>
2020-11-18 17:02:12,382 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Attribute policy
[ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0), allowedAttributes=[])] is associated
with service [AbstractRegisteredService(serviceId=http*://.*, name=HTTP,
theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=0,
description=HTTP,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
messageCode=null, text=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
evaluationOrder=0,
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
logoutType=BACK_CHANNEL, environments=[],
attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0), allowedAttributes=[]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
failureMode=UNDEFINED, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false,
forceExecution=false, bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
script=null), logo=null, logoutUrl=null, redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
permitUndefined=true, exclusive=false), requireAllAttributes=true,
requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
criteria=null), properties={}, contacts=[])]>
2020-11-18 17:02:12,383 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [pnitat] accessing
service
[AbstractWebApplicationService(id=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
originalUrl=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
artifactId=null, principal=pnitat, source=service, loggedOutAlready=false,
format=XML, attributes={})] defined by registered service [http*://.*]...>
2020-11-18 17:02:12,383 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [pnitat]>
2020-11-18 17:02:12,383 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Loading global principal attribute repository with caching policies...>
2020-11-18 17:02:12,383 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Using principal attribute repository
[DefaultPrincipalAttributesRepository()] to retrieve attributes>
2020-11-18 17:02:12,384 DEBUG
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
- <Using [pnitat], no caching takes place for
[DefaultPrincipalAttributesRepository] to add attributes.>
2020-11-18 17:02:12,385 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{}] for [pnitat]>
2020-11-18 17:02:12,385 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving attribute definition store and
attribute definitions...>
2020-11-18 17:02:12,386 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<No attribute definitions are defined in the attribute definition store>
2020-11-18 17:02:12,386 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Resolved principal attributes [{}] for [pnitat] from attribute definition
store>
2020-11-18 17:02:12,387 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process
attributes for [pnitat]>
2020-11-18 17:02:12,388 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of
[{}] for [pnitat]>
2020-11-18 17:02:12,388 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
2020-11-18 17:02:12,388 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
2020-11-18 17:02:12,388 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if
any>
2020-11-18 17:02:12,389 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[inherited_group, role, userstatus,
work_phone, last_name, active, middle_name, user_id, accessMetadata,
organization_id, phone_extension, crm_user_id, first_name, email, username,
group]]>
2020-11-18 17:02:12,389 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
2020-11-18 17:02:12,390 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
2020-11-18 17:02:12,390 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [pnitat] accessing
service
[AbstractWebApplicationService(id=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
originalUrl=http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
artifactId=null, principal=pnitat, source=service, loggedOutAlready=false,
format=XML, attributes={})] defined by registered service [http*://.*]...>
2020-11-18 17:02:12,390 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{}]>
2020-11-18 17:02:12,390 DEBUG
[org.apereo.cas.DefaultCentralAuthenticationService] - <Calculated
attributes for release per the release policy are [[]]>
Thanks,
Paul
On Wednesday, November 18, 2020 at 2:48:31 PM UTC-5 P N wrote:
> Hi Ray,
>
> I found a way to release attributes by adding the following to the JSON
> service definition:
>
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
> "principalAttributesRepository" : {
> "@class" :
> "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
> "attributeRepositoryIds": ["java.util.HashSet", [ "AMS" ]]
> }
> }
> and disabling the global attribute release:
> cas.personDirectory.attributeResolutionEnabled=false
>
>
>
> However, I am still not clear why the default bundle is not working when
> is stated in the documentation that should be working for all services.
>
> Thanks,
> Paul
> On Tuesday, November 17, 2020 at 10:40:09 AM UTC-5 Ray Bon wrote:
>
>> Paul,
>>
>> There are per service settings that can be applied and a default bundle
>> that can be set,
>> https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Policies.html
>>
>> You can set some attributes to be searched on authentication and others
>> can be extracted afterwards,
>> https://apereo.github.io/cas/6.2.x/integration/Attribute-Resolution.html
>>
>> You can also set hibernate to display what it is sending and receiving to
>> be sure its queries are what you expect,
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#hibernate--jdbc
>> .
>>
>> If you are getting to the attribute release lines, your cas config names
>> must be correct.
>>
>> Ray
>>
>> On Tue, 2020-11-17 at 07:04 -0800, P N wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> Hi Ray,
>>
>> I changed the attribute names and still same result. As suggested I set
>> logging to debug and configuration and didn't find any message about
>> 'unbound attribute'.
>>
>> I believe there is an issue related to the attribute release policies,
>> based on the following log message:
>> 2020-11-17 09:54:39,962 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of
>> [{}] for [pnitat]>
>>
>> even though there are default attributes for release:
>> 2020-11-17 09:54:39,962 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Default attributes for release are: [[inherited_group, role, userstatus,
>> work_phone, last_name, active, middle_name, user_id, accessMetadata,
>> organization_id, phone_extension, crm_user_id, first_name, email, username,
>> group]]>
>>
>> Is there a different setting to change the attribute release policy so
>> all attributes defined in the list are released?
>>
>> Thanks,
>> Paul
>> On Monday, November 16, 2020 at 6:26:49 PM UTC-5 Ray Bon wrote:
>>
>> Paul,
>>
>> Unfortunately the docs have not been updated.
>> The reference is here on line 186,
>> https://github.com/apereo/cas/blob/6.2.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/authentication/AuthenticationProperties.java
>>
>> Set your logging to debug. You should see something about an 'unbound
>> attribute' or 'could not bind attribute' with the name of the attribute. I
>> am sure there are more changes than just that one.
>>
>> It was a long time since we upgraded and I did not remember that I must
>> have search the code base for the attribute names.
>>
>> Ray
>>
>> On Mon, 2020-11-16 at 14:40 -0800, P N wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> Hi Ray,
>>
>> I am actually using the notation prescribed in CAS 6.2.x documentation -
>> see
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#jdbc-1
>>
>> :
>>
>> # cas.authn.attribute-repository.jdbc[0].attributes.uid=uid
>> #
>> cas.authn.attribute-repository.jdbc[0].attributes.display-name=displayName
>> ...
>>
>> However, even changing the configuration as suggested to old notation
>> from CAS 5 - cas.authn.attributeRepository.jdbc[0] ... , I am getting same
>> results, i.e. no attributes released.
>>
>> Thanks,
>> Paul
>> On Monday, November 16, 2020 at 4:59:59 PM UTC-5 Ray Bon wrote:
>>
>> Paul,
>>
>> You will have to check all your attribute names, they often change
>> between versions.
>> cas.authn.attribute-repository.jdbc
>> is now
>> cas.authn.attributeRepository.jdbc
>>
>> Ray
>>
>> On Mon, 2020-11-16 at 13:20 -0800, P N wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> Hi,
>>
>> I am in the process to migrate from CAS 5.3.15 to CAS 2.1 and in CAS 6 I
>> am using the same configuration properties as in CAS 5 for the principal
>> attribute release from an external JDBC repository using default Person
>> Directory to all services by default:
>>
>>
>> cas.authn.attribute-repository.default-attributes-to-release=username,role,group,inherited_group,user_id,crm_user_id,organization_id,first_name,middle_name,last_name,email,work_phone,phone_extension,active,userstatus,accessMetadata
>> cas.authn.attribute-repository.jdbc[0].singleRow=false
>> cas.authn.attribute-repository.jdbc[0].sql= ...
>> cas.authn.attribute-repository.jdbc[0].username=user_name
>>
>> cas.authn.attribute-repository.jdbc[0].columnMappings.attribute_name=attribute_value
>>
>> cas.authn.attribute-repository.jdbc[0].attributes.user_name=username
>> cas.authn.attribute-repository.jdbc[0].attributes.role=role
>> cas.authn.attribute-repository.jdbc[0].attributes.group=group
>>
>> cas.authn.attribute-repository.jdbc[0].attributes.inherited_group=inherited_group
>> cas.authn.attribute-repository.jdbc[0].attributes.user_id=user_id
>> cas.authn.attribute-repository.jdbc[0].attributes.crm_user_id=crm_user_id
>>
>> cas.authn.attribute-repository.jdbc[0].attributes.organization_id=organization_id
>> cas.authn.attribute-repository.jdbc[0].attributes.first_name=first_name
>> cas.authn.attribute-repository.jdbc[0].attributes.middle_name=middle_name
>> cas.authn.attribute-repository.jdbc[0].attributes.last_name=last_name
>> cas.authn.attribute-repository.jdbc[0].attributes.email=email
>> cas.authn.attribute-repository.jdbc[0].attributes.work_phone=work_phone
>>
>> cas.authn.attribute-repository.jdbc[0].attributes.phone_extension=phone_extension
>> cas.authn.attribute-repository.jdbc[0].attributes.active=active
>> cas.authn.attribute-repository.jdbc[0].attributes.userstatus=userstatus
>>
>> cas.authn.attribute-repository.jdbc[0].attributes.accessMetadata=accessMetadata
>>
>> cas.authn.attribute-repository.jdbc[0].id=AMS
>> cas.authn.attribute-repository.jdbc[0].failFastTimeout=1
>> cas.authn.attribute-repository.jdbc[0].healthQuery=select 1 from dual
>> cas.authn.attribute-repository.jdbc[0].isolateInternalQueries=false
>> cas.authn.attribute-repository.jdbc[0].leakThreshold=10
>> cas.authn.attribute-repository.jdbc[0].batchSize=1
>> cas.authn.attribute-repository.jdbc[0].defaultSchema=cihiweb
>> cas.authn.attribute-repository.jdbc[0].ddlAuto=none
>>
>> cas.authn.attribute-repository.jdbc[0].autocommit=false
>> cas.authn.attribute-repository.jdbc[0].idleTimeout=5000
>>
>>
>> cas.authn.attribute-repository.jdbc[0].properties.propertyName=propertyValue
>> cas.authn.attribute-repository.jdbc[0].pool.suspension=false
>> cas.authn.attribute-repository.jdbc[0].pool.minSize=6
>> cas.authn.attribute-repository.jdbc[0].pool.maxSize=18
>> cas.authn.attribute-repository.jdbc[0].pool.maxWait=2000
>> cas.authn.attribute-repository.jdbc[0].pool.timeoutMillis=1000
>>
>> cas.authn.attribute-repository.expirationTime=0
>> cas.authn.attribute-repository.merger=multivalued
>> cas.personDirectory.attributeResolutionEnabled=true
>> cas.personDirectory.activeAttributeRepositoryIds=AMS
>>
>> However, none of the attributes are released in the service validation :
>>
>> 2020-11-16 16:15:41,642 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Initiating attributes release phase for principal [pnitat] accessing
>> service [AbstractWebApplicationService(id=
>> http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
>> originalUrl=
>> http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
>> artifactId=null, principal=pnitat, source=service, loggedOutAlready=false,
>> format=XML, attributes={})] defined by registered service [http*://.*]...>
>> 2020-11-16 16:15:41,643 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Using principal attribute repository
>> [DefaultPrincipalAttributesRepository()] to retrieve attributes>
>> 2020-11-16 16:15:41,644 DEBUG
>> [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
>>
>> - <Using [pnitat], no caching takes place for
>> [DefaultPrincipalAttributesRepository] to add attributes.>
>> 2020-11-16 16:15:41,644 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Found principal attributes [{}] for [pnitat]>
>> 2020-11-16 16:15:41,646 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of
>> [{}] for [pnitat]>
>> 2020-11-16 16:15:41,646 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Default attributes for release are: [[inherited_group, role, userstatus,
>> work_phone, last_name, active, middle_name, user_id, accessMetadata,
>> organization_id, phone_extension, crm_user_id, first_name, email, username,
>> group]]>
>> 2020-11-16 16:15:41,646 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Default attributes found to be released are [{}]>
>> 2020-11-16 16:15:41,647 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Finalizing attributes release phase for principal [pnitat] accessing
>> service [AbstractWebApplicationService(id=
>> http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
>> originalUrl=
>> http://localhost:8080/ui-dev-guide/j_spring_cas_security_check,
>> artifactId=null, principal=pnitat, source=service, loggedOutAlready=false,
>> format=XML, attributes={})] defined by registered service [http*://.*]...>
>> 2020-11-16 16:15:41,647 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> <Final collection of attributes allowed are: [{}]>
>>
>> Do I miss any configuration properties or has anything changed in
>> version 6 from 5 regarding the default attributes release?
>>
>> Thanks,
>> Paul
>>
>> --
>>
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>> --
>>
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a08b21c6-77a5-4322-bc96-054c7e71d192n%40apereo.org.
