Principal resolution converts information in the authentication credential into a security principal that commonly contains additional metadata attributes (i.e. user details such as affiliations, group membership, email, display name).

A CAS principal contains a unique identifier by which the authenticated user will be known to all requesting services. A principal also contains optional attributes that may be released to services to support authorization and personalization. Principal resolution is a requisite part of the authentication process that happens after credential authentication.

CAS AuthenticationHandler components provide simple principal resolution machinery by default. For example, the LdapAuthenticationHandler component supports fetching attributes and setting the principal ID attribute from an LDAP query. In all cases principals are resolved from the same store as that which provides authentication.

In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.


CAS uses the Person Directory library to provide a flexible principal resolution services against a number of data sources. The key to configuring PersonDirectoryPrincipalResolver is the definition of an IPersonAttributeDao object.

To see the relevant list of CAS properties, please review this guide.

PrincipalResolver vs. AuthenticationHandler

The principal resolution machinery provided by AuthenticationHandler components should be used in preference to PrincipalResolver in any situation where the former provides adequate functionality. If the principal that is resolved by the authentication handler suffices, then a null value may be passed in place of the resolver bean id in the final map.