Attribute Value Filters
While each policy defines what principal attributes may be allowed for a given service, there are optional attribute filters that can be set per policy to further weed out attributes based on their values.
-
Attribute filters can be chained together so as to associate multiple filters with a single service definition.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class" : "org.apereo.cas.services.support.RegisteredServiceChainingAttributeFilter", "filters": [ "java.util.ArrayList", [ { "@class" : "org.apereo.cas.services.support.RegisteredServiceRegexAttributeFilter", "pattern" : "^\\w{3}$", "order": 10 }, { "@class" : "..." } ] ] }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "groupMembership" ] ] } }
Chained attribute filters are sorted given their
orderproperty first before execution. -
The regex filter that is responsible to make sure only attributes whose value matches a certain regex pattern are released.
Suppose that the following attributes are resolved:
Name Value uidjsmith groupMembershipstd cnJohnSmith The following configuration for instance considers the initial list of
uid,groupMembershipand then only allows and releases attributes whose value’s length is 3 characters. Therefore, out of the above list, onlygroupMembershipis released to the application.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class" : "org.apereo.cas.services.support.RegisteredServiceRegexAttributeFilter", "pattern" : "^\\w{3}$" }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "groupMembership" ] ] } }
-
The regex filter that is responsible to make sure only a selected set of attributes whose value matches a certain regex pattern are released. The filter selectively applies patterns to attributes mapped in the configuration. If an attribute is mapped, it is only allowed to be released if it matches the linked pattern. If an attribute is not mapped, it may optionally be excluded from the released set of attributes.
For example, the below example only allows release of
memberOfif it contains a value that is 3 characters in length. If no values are found, thememberOfis excluded from the final released bundle.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter", "patterns": { "@class" : "java.util.TreeMap", "memberOf": "^\\w{3}$" }, "excludeUnmappedAttributes": false, "completeMatch": false, "caseInsensitive": true, "order": 0 }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "memberOf" ] ] } }
The following fields are supported by this filter:
Name Description patternsA map of attributes and their associated pattern tried against value(s). completeMatchIndicates whether pattern-matching should execute over the entire value region. excludeUnmappedAttributesIndicates whether unmapped attributes should be removed from the final bundle. caseInsensitiveIndicates whether pattern matching should be done in a case-insensitive manner. -
Identical to the Mapped Regex filter, except that the filter only allows a selected set of attributes whose value does not match a certain regex pattern are released.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class": "org.apereo.cas.services.support.RegisteredServiceReverseMappedRegexAttributeFilter", "patterns": { "@class" : "java.util.TreeMap", "memberOf": "^\\w{3}$" }, "excludeUnmappedAttributes": false, "completeMatch": false, "caseInsensitive": true, "order": 0 }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "memberOf" ] ] } }
-
This filter structurally, in terms of settings and properties, is identical to the Mapped Regex filter. Its main ability is to filter attribute values by a collection of patterns and then supplant the value dynamically based on the results of the regex match.
For example, the following definition attempts to filter all values assigned to the attribute
memberOfbased on the given patterns. Each pattern is linked via->to the expected return value that may reference specific groups in the produced regex result. Assuming the attributememberOfhas values ofmath101andmarathon101, the filter will produce valuescourseA-athon101andcourseB-h101after processing.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class": "org.apereo.cas.services.support.RegisteredServiceMutantRegexAttributeFilter", "patterns": { "@class" : "java.util.TreeMap", "memberOf": [ "java.util.ArrayList", [ "^mar(.+)(101) -> courseA-$1$2", "^mat(.+)(101) -> courseB-$1$2" ] ] }, "excludeUnmappedAttributes": false, "completeMatch": false, "caseInsensitive": true, "order": 0 }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "memberOf" ] ] } }
-
Attribute value filtering may also be carried out using an inline or external Groovy script. Scripts have access to the current resolved attributes via
attributesand alogger. The returned result of the script must be aMap<String, Object>.Inlined Groovy
An inline groovy filter allows you to embed the script directly in the service definition.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class" : "org.apereo.cas.services.support.RegisteredServiceScriptedAttributeFilter", "script" : "groovy { return attributes }" }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "groupMembership" ] ] } }
To prepare CAS to support and integrate with Apache Groovy, please review this guide.
External Groovy
An external groovy filter allows you to define the script in file located outside of the CAS web application.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "sample", "name" : "sample", "id" : 200, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "attributeFilter" : { "@class" : "org.apereo.cas.services.support.RegisteredServiceScriptedAttributeFilter", "script" : "file:/etc/cas/filter-this.groovy" }, "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "groupMembership" ] ] } }
The outline of the script may be as follows:
1 2 3 4 5 6 7 8
import java.util.* def run(final Object... args) { def (attributes,logger) = args logger.info "Attributes currently resolved: ${attributes}" def map = ... return map }
The parameters passed are as follows:
Parameter Description attributesA Mapof current attributes resolved from sources.loggerThe object responsible for issuing log messages such as logger.info(...).To prepare CAS to support and integrate with Apache Groovy, please review this guide.