Apereo CAS - Custom Login Fields w/ Dynamic Bindings

Posted by Misagh Moayyed on February 25, 2019 · 4 mins read ·
This blog post was originally posted on Apereo GitHub Blog.

Despite what you may have heard, I am here to put a stop to all rumors and clarify definitively that this blog post has nothing to do with Taylor Swift. Instead, this post deals with a pretty simple CAS use case, which is:

How does one include additional fields into the login form and get access to field data in a custom CAS authentication handler?

Sounds quite legitimate. Let’s start with the simpler answer, which is that any CAS authentication handler can always directly tap into the HttpServletRequest object to query and fetch parameters passed by the login form and other views. One could do this in Spring Framework speech using something like:

...
HttpServletRequest request = ((ServletRequestAttributes)
  RequestContextHolder.currentRequestAttributes()).getRequest();
Object parameter = request.getParameter("whatever");
...

If this feels a bit uncomfortable, let’s dig deeper to see how CAS might accommodate this use case in more official ways.

Our starting position is based on:

Overview

CAS presents the ability to augment the login form to include additional custom fields. These fields are taught to CAS using settings that describe modest behavior and tweaks for each and are then processed by the Spring Webflow engine to be bound to the object model that is ultimately in charge of handling and managing user input.

Example

So imagine that in addition to the usual username and password fields you also wanted to ask the user for their phone as a mandatory field. To do this, you’d teach CAS about the new phone field:

cas.view.customLoginFormFields.phone.messageBundleKey=customLoginFormField.phone
cas.view.customLoginFormFields.phone.required=true

The CAS message/language bundle, typically custom_messages.properties file, should also contain the text for the new field:

customLoginFormField.phone=Telephone
customFields[phone].required=Telephone number must be specified.

If you build and bring up CAS, you might see something like this:

image

…and if you attempt to submit the form without the phone field:

image

Authentication Handling

Next, let’s say you have registered the following authentication handler with CAS:

public class MyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
    ...
    protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(
        final UsernamePasswordCredential credential, final String originalPassword) {
        ...
    }
    ...
}

To receive and process the new phone field in your custom authentication handler, you would do something like:

protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(
    final UsernamePasswordCredential credential, final String originalPassword) {
    Object phone = credential.getCustomFields().get("phone");
    ...
}

Finale

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Misagh Moayyed