[cas-dev] Retrieve Principal Id in an ActionState

Wed Jul 2 11:24:24 EDT 2008

Daniel,

The system is designed so that you're not supposed to be able to obtain a
principal id until after a service ticket is validated (there are ways
around it such as accessing the TicketRegistry directly, but those aren't
recommended).

If your password expiration/change password tool needs access to the
principal, it should be CASified.  In theory you wouldn't want the change
password application to do anything if it couldn't confirm the validity of
the user anyway (i.e. passing principal as a parameter isn't really a good
way of confirming the validity of the user).

However, it appears that this wouldn't work as you have specific
requirements about TGTs and password expiration.  If your resolvers don't
make any changes to the NetID provided you could still always retrieve the
original username provided from the Servlet Request.  Its "unconfirmed" but
if you're not using it for anything other than say pulling up a name then it
shouldn't be a big deal.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Wed, Jul 2, 2008 at 11:14 AM, Daniel Almeida <daniel.almeida at ist.utl.pt>
wrote:

> Hi,
>
> I'm writing an ActionState to add to the CAS Webflow, which has to check
> after the user authenticates correctly if his password is expired, is
> expiring (in less than 30 days), or if it's OK.
>
> We're using 3 different authentication handlers:
>
> - An username/password authentication handler that queries our Kerberos
> - X.509 Authentication Handler
> - SPNEGO Authentication Handler
>
> And use LDAP to resolve the Principal from the credentials.
>
> When a password is expiring or has expired, we want to redirect the user
> to a password change web page, passing as parameters the Principal Id
> and the original service URL, so we can warn the user that his password
> is expiring or that it has expired, and maintain the context (the
> service where the user was authenticating).
>
> This is mandatory, regardless of the authentication handler/method used,
> and we only give a TGT  after this check and only if the password is OK
> or expiring in < 30 days.
>
> The problem is that we can't "get" the principal Id in the ActionState
> we're writing, that looks like:
>
>
> public final class ISTChangePasswordWebpageAction extends AbstractAction {
>
>     private String istid;
>     private String serviceURL;
>
>
>        protected Event doExecute(RequestContext context) {
>
>
>          try{
>                final HttpServletResponse response =
> WebUtils.getHttpServletResponse(context);
>                final WebApplicationService service =
> WebUtils.getService(context);
>
>         istid = ? // principal id independent from Authentication
> Handler/method used
>
> response.sendRedirect("https://changepasswordURL?"+ "url=" +
> service.getId() + "&istid=" + istid);
>
>          }catch(Exception e){
>                  ...
>          }
>          return result("success");
>
>        }
> }
>
> Is there any simple way to retrieve the Principal Id in an ActionState?
>
> Does anyone have a better approach to this problem? Preferably with no
> changes to the cas-core?
>
> Thanks in advance,
> Daniel Almeida
>
> Centro de Informática do Instituto Superior Técnico, Portugal
> http://www.ist.utl.pt/
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080702/eb59eceb/attachment.html 