问题
Using WSO2AM 2.1.0-update12
- trying to get a token from an authorization code grant with role based scope:
- using SAML to authenticate users (SAML returning username only, we assume roles from the underlying AD userstore).
Complete stacktrace is available
we have an exception:
DEBUG - Found Authorization Code for Client : kf2UGHFTyCzKUNgSMc65BZNCzooa, authorized user : FEDERATED/xxxxxxx@carbon.super, scope : test001_backend
Caused by: java.lang.NullPointerException
at org.wso2.carbon.user.core.common.UserRolesCache.isCaseSensitiveUsername(UserRolesCache.java:213)
at org.wso2.carbon.user.core.common.UserRolesCache.getRolesListOfUser(UserRolesCache.java:128)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUserFromCache(AbstractUserStoreManager.java:3641)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2730)
... 67 more
thing is - in the wso2am base version 2.1.0 the authorization is working, the upgrade is needed to support application sharing between groups.
Any hint?
Edit:
the change is - user returned through SAML is assigned domain FEDERATED (so the full domain username is FEDERATED/username, which is not recognized by the userstore), using base version 2.1.0 works (I am not sure if the FEDERATED domain is set, but the user roles and scopes are validated properly)
回答1:
As a resolution - we have overwritten the method getRoleListOfUser on the userstore maanger stripping the realm (FEDERATED) from the username.
来源:https://stackoverflow.com/questions/50951244/wso2am2-1-0-update12-scope-roles-for-federated-users