WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Service Access Strategy - Grouper
The grouper access strategy is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-grouper-core</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-grouper-core:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-grouper-core"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-grouper-core"
}
This access strategy attempts to locate Grouper groups for the CAS principal. The groups returned by Grouper are collected as CAS attributes and examined against the list of required attributes for service access.
The following properties are available:
| Field | Description | Values |
|---|---|---|
groupField |
Attribute of the Grouper group when converting the group to a CAS attribute. | NAME, EXTENSION, DISPLAY_NAME, DISPLAY_EXTENSION. |
You will also need to ensure grouper.client.properties is available on the classpath (i.e. src/main/resources)
with the following configured properties:
1
2
3
grouperClient.webService.url = http://grouper.example.com/grouper-ws/servicesRest
grouperClient.webService.login = banderson
grouperClient.webService.password = password
Grouper access strategy based on group’s display extension:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^https://.+",
"name" : "test",
"id" : 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.grouper.services.GrouperRegisteredServiceAccessStrategy",
"requireAllAttributes" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"grouperAttributes" : [ "java.util.HashSet", [ "faculty" ] ]
},
"groupField" : "DISPLAY_EXTENSION"
}
}
While the grouper.client.properties is a hard requirement and must be presented,
configuration properties can always be assigned to the strategy
to override the defaults:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^https://.+",
"name" : "test",
"id" : 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.grouper.services.GrouperRegisteredServiceAccessStrategy",
"configProperties" : {
"@class" : "java.util.HashMap",
"grouperClient.webService.url" : "http://grouper.example.com/grouper-ws/servicesRest"
},
"groupField" : "DISPLAY_EXTENSION"
}
}
You may also consider externalizing the Grouper client configuration file
by modifying /src/main/resources/grouper.client.properties to contain the following:
1
grouperClient.config.hierarchy = classpath:/grouper.client.base.properties,file:/etc/cas/config/grouper.client.properties
…where /etc/cas/config/grouper.client.properties would then contain the actual Grouper related settings.
Troubleshooting
To enable additional logging, configure the log4j configuration file to add the following levels:
1
2
3
4
5
6
...
<Logger name="edu.internet2.middleware" level="debug" additivity="false">
<AppenderRef ref="casConsole"/>
<AppenderRef ref="casFile"/>
</Logger>
...