Retrieve Principal Id in an ActionState

Hi,

I'm writing an ActionState to add to the CAS Webflow, which has to check
after the user authenticates correctly if his password is expired, is
expiring (in less than 30 days), or if it's OK.

We're using 3 different authentication handlers:

- An username/password authentication handler that queries our Kerberos
- X.509 Authentication Handler
- SPNEGO Authentication Handler

And use LDAP to resolve the Principal from the credentials.

When a password is expiring or has expired, we want to redirect the user
to a password change web page, passing as parameters the Principal Id
and the original service URL, so we can warn the user that his password
is expiring or that it has expired, and maintain the context (the
service where the user was authenticating).

This is mandatory, regardless of the authentication handler/method used,
and we only give a TGT  after this check and only if the password is OK
or expiring in < 30 days.

The problem is that we can't "get" the principal Id in the ActionState
we're writing, that looks like:


public final class ISTChangePasswordWebpageAction extends AbstractAction {
       
     private String istid;
     private String serviceURL;


        protected Event doExecute(RequestContext context) {
               
               
          try{
                final HttpServletResponse response =
WebUtils.getHttpServletResponse(context);
                final WebApplicationService service = WebUtils.getService(context);

         istid = ? // principal id independent from Authentication
Handler/method used

response.sendRedirect("https://changepasswordURL?"+ "url=" +
service.getId() + "&istid=" + istid);

          }catch(Exception e){
                  ...
          }
          return result("success");
       
        }
}

Is there any simple way to retrieve the Principal Id in an ActionState?

Does anyone have a better approach to this problem? Preferably with no
changes to the cas-core?

Thanks in advance,
Daniel Almeida

Centro de Informática do Instituto Superior Técnico, Portugal
http://www.ist.utl.pt/
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev

Daniel,

The system is designed so that you're not supposed to be able to obtain a principal id until after a service ticket is validated (there are ways around it such as accessing the TicketRegistry directly, but those aren't recommended).

If your password expiration/change password tool needs access to the principal, it should be CASified.  In theory you wouldn't want the change password application to do anything if it couldn't confirm the validity of the user anyway (i.e. passing principal as a parameter isn't really a good way of confirming the validity of the user).

However, it appears that this wouldn't work as you have specific requirements about TGTs and password expiration.  If your resolvers don't make any changes to the NetID provided you could still always retrieve the original username provided from the Servlet Request.  Its "unconfirmed" but if you're not using it for anything other than say pulling up a name then it shouldn't be a big deal.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia



_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev