Class SurrogateLdapAuthenticationProperties

All Implemented Interfaces:
Serializable, CasFeatureModule

@RequiresModule(name="cas-server-support-surrogate-authentication-ldap") public class SurrogateLdapAuthenticationProperties extends AbstractLdapSearchProperties
Since:
5.1.0
See Also:
  • Constructor Details

    • SurrogateLdapAuthenticationProperties

      public SurrogateLdapAuthenticationProperties()
  • Method Details

    • getSurrogateSearchFilter

      public String getSurrogateSearchFilter()
      LDAP search filter used to locate the surrogate account. The query is expected to determine whether the primary user is authorized to impersonate the given account. These fields may be referred to in the LDAP search query via {user} and {surrogate} placeholders. If the query result yields a value that points to an LDAP entry, impersonation is authorized for the given accounts.

      An example might be

      (invalid input: '&'(uid={user})(xyzMemberOf=actAs:{surrogate}))
    • getMemberAttributeName

      public String getMemberAttributeName()
      Attribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation. All attribute values are then compared against the pattern you specify in getMemberAttributeValueRegex().
    • getMemberAttributeValueRegex

      public String getMemberAttributeValueRegex()
      A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation. The regular expression pattern is expected to contain at least a single group whose value on a successful match indicates the qualified impersonated user by admin.
    • getSurrogateValidationFilter

      public String getSurrogateValidationFilter()
      An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted via getSurrogateSearchFilter(). You can use this validation filter to ensure the surrogate/impersonatee does exist in LDAP. The LDAP filter may use {surrogate} as a placeholder in the filter to locate the surrogate account.

      An example might be:

      (invalid input: '&'(uid={surrogate})(authorized=TRUE))}
    • setSurrogateSearchFilter

      public SurrogateLdapAuthenticationProperties setSurrogateSearchFilter(String surrogateSearchFilter)
      LDAP search filter used to locate the surrogate account. The query is expected to determine whether the primary user is authorized to impersonate the given account. These fields may be referred to in the LDAP search query via {user} and {surrogate} placeholders. If the query result yields a value that points to an LDAP entry, impersonation is authorized for the given accounts.

      An example might be

      (invalid input: '&'(uid={user})(xyzMemberOf=actAs:{surrogate}))
      Returns:
      this.
    • setMemberAttributeName

      public SurrogateLdapAuthenticationProperties setMemberAttributeName(String memberAttributeName)
      Attribute that must be found on the LDAP entry linked to the admin user that tags the account as authorized for impersonation. All attribute values are then compared against the pattern you specify in getMemberAttributeValueRegex().
      Returns:
      this.
    • setMemberAttributeValueRegex

      public SurrogateLdapAuthenticationProperties setMemberAttributeValueRegex(String memberAttributeValueRegex)
      A pattern that is matched against the attribute value of the admin user, that allows for further authorization of the admin user and accounts qualified for impersonation. The regular expression pattern is expected to contain at least a single group whose value on a successful match indicates the qualified impersonated user by admin.
      Returns:
      this.
    • setSurrogateValidationFilter

      public SurrogateLdapAuthenticationProperties setSurrogateValidationFilter(String surrogateValidationFilter)
      An optional LDAP validation filter that attempts to look for surrogate/impersonatee account in LDAP once authorization has been granted via getSurrogateSearchFilter(). You can use this validation filter to ensure the surrogate/impersonatee does exist in LDAP. The LDAP filter may use {surrogate} as a placeholder in the filter to locate the surrogate account.

      An example might be:

      (invalid input: '&'(uid={surrogate})(authorized=TRUE))}
      Returns:
      this.