[cas-dev] Chained Attribute Repositories
Marvin S. Addison
serac at vt.edu
Wed Oct 29 11:43:03 EDT 2008
There does not appear to be a feature in CAS 3.3 that allows chaining
of attribute repositories. It would be very beneficial to allow
CredentialsToPrincipalResolver instances to consult a number of
IPersonAttributeDao instances for attributes about the authenticated
principal:
<bean class="CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean class="X509CertificateCredentialsToIdentifierPrincipalResolver">
<property name="identifier" value="$UID" />
</bean>
</property>
<property name="filter" value="(uid=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="uupid" />
<property name="searchBase" value="ou=People,dc=vt,dc=edu" />
<property name="contextSource" ref="edAuthContextSource" />
<property name="attributeRepositories>
<list>
<ref bean="primaryLdapRepository" />
<ref bean="secondaryLdapRepository" />
</list>
</property>
</bean>
I realize that for CredentialsToLDAPAttributePrincipalResolver it may
only make sense to consult LDAP repositories, but the true power of
chained attribute sources lies in arbitrary data sources (e.g. RDBMS,
statically-configured). The Shib Java IDP supports this feature, and
I can say from experience that it's powerful.
Please speak up if you think this feature would be beneficial. We may
have a requirement to support multiple attribute sources, and would be
willing to contribute our solution if there's interest.
Thanks,
Marvin
More information about the cas-dev
mailing list