Attribute Release Policy - Pattern Matching

This policy allows the release of defined allowed attributes only if the attribute value(s) matches the given regular expression pattern. If the attribute value is matched successfully, the policy is then able to apply transformation rules on the value to extract and collect the matched groups to then assemble the final attribute value.

For example, consider an authenticated principal with a memberOf attribute which contains values such as CN=g1,OU=example,DC=org, and CN=g2,OU=example,DC=org. The following policy applies the defined pattern and the transformation on each attribute value. The final result would be a memberOf attribute with values g1@example.org and g2@example.org.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "sample",
  "name" : "sample",
  "id" : 300,
  "attributeReleasePolicy" : {
    "@class": "org.apereo.cas.services.PatternMatchingAttributeReleasePolicy",
    "allowedAttributes": {
        "@class": "java.util.TreeMap",
        "memberOf": {
            "@class": "org.apereo.cas.services.PatternMatchingAttributeReleasePolicy$Rule",
            "pattern": "^CN=(\\w+),\\s*OU=(\\w+),\\s*DC=(\\w+)",
            "transform": "${1}@${2}/${3}"
        }
    }
  }
}

Matched pattern groups typically start at 1. If you need to refer to the entire matched region, use ${0}.