Re: [Acegisecurity-developer] Re: CAS configuration

Wed, 19 Apr 2006 02:54:07 -0700 

All,
I am setting up a CAS instance for 300 000 users, and a first
perimeter of 150 applications.
In this context, I use the identity forwarding facility provided by
CAS (Proxy Ticket) to build personalized/authenticated web service
aggregation in a corporate portal.

I'm also experiencing some issues with the current CasProcessingFilter
implementation :
A key feature of the CAS architecture is to enable authentication and
service in a single http request, ie without redirection (which is
mandatory in a  web service perspective).
This is usually done by triggering the authentication workflow when
the three following events simultaneously occurs :
- The request need authentication
- This request is not authenticated
- A ticket parameter is found in the request
This is basically how the BASIC authentication proceed :).

The problem with the current implementation is that you can only
specify one filterProcessesUrl, and thus does not allows to filter on
specific services.

I see 3 solutions :
-Add a dynamic wild card processing facility to
AbstractProcessingFilter.requiresAuthentication method
( may have side effects, not my favorite one)
-re-implement a CasProcessingFilter using the BasicProcessingFilter model.
(simple, fast, love this one)
-Re design the whole Cas adapter hierarchy, without the
ServiceProperties as Brian suggested.

I may handle the 2) and maybe the 1) one before the end of the week if
you are interested.

What is your feeling about this?
MAG




On 3/16/06, Baz <[EMAIL PROTECTED]> wrote:
> On 3/16/06, Baz <[EMAIL PROTECTED]> wrote:
> > Looking at this, and the way that the 'Filter' classes aren't really
> > (the lifecycle methods arent used, and they're all marked 'do not use
> > directly') shouldn't all of these implement something like:
>
> must...think...before...hitting...send....
>
> ok clearly there are classes in there that don't want to implement
> both doFilter() and commence(), like the RememberMe stuff. The
> questions in the second half of my blather should really be:
> - why not have CasProcessingFilter implement AuthenticationEntryPoint
> and drop ServiceProperties? They can't be used separately.
> - why is javax.servlet.Filter implemented throughout for things which
> can't be used that way, while every other interface gets chopped up
> for type safety?
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> _______________________________________________
> Home: http://acegisecurity.org
> Acegisecurity-developer mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>



--
Best regards.

Marc-Antoine Garrigue


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to