Hi Jerome, et. al., I agree, and that would be a nice first step. I wound up adding code in which a given registered service is only authorized for use with a specific list of protocols, and an attempt to access the registered service (e.g., by findServiceBy(Service)) for an unauthorized protocol returns null.
Dan Dan Ellentuck Columbia University I.T. On Mon, Jun 7, 2021 at 4:07 AM Jérôme LELEU <lel...@gmail.com> wrote: > Hi, > > I have this SAML SP definition in CAS: > > { > "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", > "serviceId" : "http://localhost:8081.*" > <https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8081.-2A-2522&d=DwQFaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=-mB15dnBKNLdHrR8X3_Clw&m=MMq2PDYGP2WsYd3mmC_2FG6n4utfcneLwsfVeGJAKVw&s=KQ8qDkmI7UpPoBJqooKSXoX1ZED8H9UHUgtNp-NBjmo&e=>, > "name" : "SAMLService", > "id" : 1, > "evaluationOrder" : 1, > "metadataLocation" : > "/Users/jleleu/sources/spring-webmvc-pac4j-boot-demo/sp-metadata.xml" > } > > > And I have realized that I can log in using the CAS protocol with the same > service definition : > > > http://localhost:8080/cas/login?service=http%3A%2F%2Flocalhost%3A8081%2Fcallback%3Fclient_name%3DCasClient > <https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_cas_login-3Fservice-3Dhttp-253A-252F-252Flocalhost-253A8081-252Fcallback-253Fclient-5Fname-253DCasClient&d=DwMFaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=-mB15dnBKNLdHrR8X3_Clw&m=MMq2PDYGP2WsYd3mmC_2FG6n4utfcneLwsfVeGJAKVw&s=mapZS2wG2rZ3Hf2l_3QsYCKkRBtQisWhAMRhowYTwds&e=> > > I would have expected the SAML definition not to work for the CAS protocol. > > More generally, I have the feeling that protocols are not sufficiently > differentiated in CAS. > I'm thinking about the SamlIdPSingleLogoutServiceMessageHandler and the > DefaultSingleLogoutServiceMessageHandler components although there might > be better examples. > > We have built the SAML, OAuth and OIDC protocols on top of the CAS > protocol while CAS should be somehow alongside the other protocols. > > In terms of design, as a first step, I would make RegexRegisteredService an > abstract class and create a *CasRegisteredService* (inheriting from it) > like we have a SamlRegisteredService, a OAuthRegisteredService... > > This may be a huge change better targeted at v6.5 or even v7. > > Does it make sense? > > Thanks. > Best regards, > Jérôme > > -- > You received this message because you are subscribed to the Google Groups > "CAS Developer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-dev+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAP279LzNmaCyk1f_ugJRcQbTappYN8zkKZnw6YAfYdyJZpK7HA%40mail.gmail.com > <https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_apereo.org_d_msgid_cas-2Ddev_CAP279LzNmaCyk1f-5FugJRcQbTappYN8zkKZnw6YAfYdyJZpK7HA-2540mail.gmail.com-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=DwMFaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=-mB15dnBKNLdHrR8X3_Clw&m=MMq2PDYGP2WsYd3mmC_2FG6n4utfcneLwsfVeGJAKVw&s=P-KbBR7VRxjIr5e8vpi_BrdkJyjXcA-mDvmdXdFcaYs&e=> > . > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAFqYg5%2B2x1iD_GaZ8NpB%2Bccy57nm%2BhrZZR2tncE2r3-HuJb7jw%40mail.gmail.com.