diff --git a/uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java b/uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java
index d638e04075da426a5537d972219d220f7eb9ed8b..20bf725c149d3445327b18559c6a28c2c90a775e 100644
--- a/uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java
+++ b/uw-spring-security-core/src/main/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapper.java
@@ -60,6 +60,7 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
private String identityProviderHeader = "Shib-Identity-Provider";
private String customLogoutPrefix = "/Shibboleth.sso/Logout?return=";
private String customLogoutSuffix = "/logout/";
+ private String manifestHeader = "ismemberof";
private static final Logger logger = LoggerFactory.getLogger(Default.class);
/**
@@ -87,7 +88,12 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
uddsMembership = Collections.list(uddsHeaders);
}
String email = request.getHeader(emailAddressHeader);
- UWUserDetailsImpl result = new UWUserDetailsImpl(pvi, uid, "", cn, email, uddsMembership);
+ Collection<String> manifestGroups = new ArrayList<>();
+ Enumeration<String> manifestHeaders = request.getHeaders(manifestHeader);
+ if(manifestHeaders != null) {
+ manifestGroups = Collections.list(manifestHeaders);
+ }
+ UWUserDetailsImpl result = UWUserDetailsImpl.newInstance(pvi, uid, "", cn, email, uddsMembership, manifestGroups);
result.setSource("edu.wisc.uwss.preauth");
result.setEppn(eppn);
result.setIsisEmplid(emplid);
@@ -280,5 +286,18 @@ public interface PreauthenticatedUserDetailsAttributeMapper {
public void setLastNameHeader(String lastNameHeader) {
this.lastNameHeader = lastNameHeader;
}
+ /**
+ * @return the manifestHeader
+ */
+ public String getManifestHeader() {
+ return manifestHeader;
+ }
+ /**
+ * @param manifestHeader the manifestHeader to set
+ */
+ @Value("${preauth.manifestHeader:ismemberof}")
+ public void setManifestHeader(String manifestHeader) {
+ this.manifestHeader = manifestHeader;
+ }
}
}
diff --git a/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java b/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java
index 92b4b0d4ca80c85dd562739d70f4b2ae9572a8c0..e387848a7ebe07e448d0de40e5c927576a65993e 100644
--- a/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java
+++ b/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/PreauthenticatedUserDetailsAttributeMapperTest.java
@@ -6,6 +6,7 @@ package edu.wisc.uwss.preauth;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
import java.net.URL;
import java.util.Collections;
@@ -41,6 +42,7 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
String email = "some.body@wisc.edu";
String emplid = "0000123456";
List<String> uddsMembership = Collections.singletonList("udds1234");
+ List<String> manifestGroups = Collections.singletonList("uw:domain:something");
request.addHeader("eppn", eppn);
request.addHeader("wiscedupvi", pvi);
@@ -50,6 +52,7 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
request.addHeader("wisceduudds", uddsMembership);
request.addHeader("wisceduisisemplid", emplid);
request.addHeader("Shib-Identity-Provider", "https://logintest.wisc.edu/idp/shibboleth");
+ request.addHeader("ismemberof",manifestGroups);
UWUserDetails result = filter.mapUser(request);
@@ -62,6 +65,8 @@ public class PreauthenticatedUserDetailsAttributeMapperTest {
assertEquals(uddsMembership, result.getUddsMembership());
assertEquals(emplid, result.getIsisEmplid());
assertEquals("/Shibboleth.sso/Logout?return=https://logintest.wisc.edu/logout/", result.getCustomLogoutUrl());
+ assertEquals(1,result.getAuthorities().size());
+ assertEquals(manifestGroups.toString(),result.getAuthorities().toString());
}
/**
diff --git a/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java b/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java
index 2ab93b5ec7d2eb614ee8cdf842f3d2b39c2ab0d5..edce2a8062b045b9a0cfea86ed7c4ff12b2a4435 100644
--- a/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java
+++ b/uw-spring-security-core/src/test/java/edu/wisc/uwss/preauth/UWUserDetailsAuthenticationFilterTest.java
@@ -63,7 +63,24 @@ public class UWUserDetailsAuthenticationFilterTest {
assertEquals("Bucky Badger", userDetails.getFullName());
assertTrue(userDetails.getUddsMembership().isEmpty());
}
- /**
+ /**
+ * Verify behavior for {@link UWUserDetailsAuthenticationFilter#getPreAuthenticatedPrincipal(HttpServletRequest)}
+ * when no "manifest" header is present, which is commonly true unless an the application is designed
+ * specifically to consume a manifest group.
+ */
+ @Test
+ public void getPreAuthenticatedPrincipal_no_manifestgroups() {
+ UWUserDetailsAuthenticationFilter filter = new UWUserDetailsAuthenticationFilter();
+ HttpServletRequest request = mock(HttpServletRequest.class);
+
+ when(request.getHeader("uid")).thenReturn("bbadger");
+ when(request.getHeader("cn")).thenReturn("Bucky Badger");
+ UWUserDetails userDetails = filter.getPreAuthenticatedPrincipal(request);
+ assertEquals("bbadger", userDetails.getUsername());
+ assertEquals("Bucky Badger", userDetails.getFullName());
+ assertTrue(userDetails.getAuthorities().isEmpty());
+ }
+ /**
* Verify behavior for {@link UWUserDetailsAuthenticationFilter#getPreAuthenticatedPrincipal(HttpServletRequest)} when
* no "uid" header is present. This would represent a scenario where our pre-authentication (shib) environment isn't correctly
* configured; we want to make sure attempts to login would fail and not accidentially leak people in.